Re: Remote Access VPN on Pix 7.0 using certificates.

ravinder.dahiya · ‎10-19-2005

Hi,

I am trying to deploy VPN for my remote users, and for security reason I want to use certificates.

-I have windows 2003 server as CA server.

-I am using VPN client 4.7xxxxx and using windows default certificate store to store certificates( no third party tools)

Note:-(I serached google and cisco many times but I always got examples for windows 2000 CA with thridpary software at client side) and finally I am here with hope...

Problems-

1. I am not able to configure autoenrollment of certificates from CA on Pix, So I install those manually.

can anyone tell me how to enroll them automatically and what type of certifate is needed at PIX side.( like CA, Administrator, Webserver, Encryption etc)

2. Although I installed a few certificates at clent side and one worked but it giving me some FQDN mismatch errors ("Invalid remote certificate id: ID_FQDN: ID = "in logs at client side) to solve that I tried all three methods i.e. ( FQDN=None, FQDN=Device ID, FQDN=Manully Defined) but same result.

can anyone suggest me what to do

Thanks in advance..

ebreniz · ‎10-25-2005

I have a PIX that is running 6.3.3 and I have enrolled with CA manually. Once the PIX has got the certificate from the CA, the PIX can use it until it expires. Does auto-enrollment mean that the PIX automatically renews the certificate from the CA before the certificate expires? I have not seen any option on 6.3.3 to configure this. Anyone implemented this on 7.0?

derec.shuler · ‎10-27-2005

go to technet.microsoft.com and search on "scep pix certificate"

There's a good article on auto enroll using the SCEP module with PIX 6.3. You'll have to adapt the instructions for PIX 7.0. Good luck!