PKI Default Settings Configuration in NSM Overview
You can configure
default PKI settings for each security device to define how that device
handles certificates. When configuring a VPN that includes the device,
you can use these default settings.
In the device configuration tree, select VPN Settings > Defaults > PKI Settings to display the
default PKI settings. First, configure the source interface for PKI
traffic. The source interface is the interface on the device that
sends the certificate request to the CA. The topic includes the following:
Configuring X509 Certificates
Configure the following X509 certificate settings:
- Email Destination for the PKCS#10 File—Provide the
e-mail address that receives the PKCS#10, which defines the syntax
for certification requests.
- Select raw common name—Select this option to use
only one CN field in the certificate CN in SCEP certificate request.
Some certificate authorities support a single CN filed in the certificate
DN, when responding to a SCEP request. When enabled, the CN field
contains the value of certificate name when you
set DN.
Configuring Revocation
Revocation settings define how and when certificates
are revoked. You might want to revoke a certificate that you suspect
has been compromised or when a certificate holder leaves a company.
You can revoke the certificate manually, or use certificate revocation
list (CRL) or Online Certificate Status Protocol (OCSP) to automatically
check for revoked certificates. Table 1 describes
the revocation settings.
Table 1: Revocation Settings
Revocation Settings
|
Your Action
|
X.509 Certificate Path Validation Level
|
X509 contains a specification for a certificate that binds an
entity's distinguished name to its public key through the use of a
digital signature.
- Full—Use full validation to validate the certificate
path back to the root.
- Partial—Use partial validation to validate the certificate
path only part of the way to the root.
|
Revocation Check
|
Select or clear revocation checking for certificates:
- Check for revocation—Select this option to enable
revocation checking.
- Do not check for revocation—Select this option to
disable revocation checking.
|
Revocation Checking Method
|
Select the checking method to use if you enabled revocation
checking. If you did not enable revocation checking, these fields
are unavailable.
- CRL—Enables you to keep a local copy of the revoked
certificates on the managed device. This method enables you to check
for revoked certificates quickly.
- OSCP—Enables the device to access a remote OCSP
server to check for revoked certificates. Because the OCSP server
dynamically updated their list of revoked certificates, this method
provides the most up-to-date information.
|
Best Effort
|
Select this option to check for revocation and accept the certificate
if no revocation information is found.
|
CRL Settings
|
Configure the default setting for the certificate revocation
list.
- URL address—Provide the URL address of your internal
LDAP server that provides the CRL.
- LDAP server—Provide the IP address of the external
LDAP server that manages the CRL.
- Refresh Frequency—Select the frequency that the
device contacts the CA to obtain a new CRL list: Daily, Weekly, or
Monthly.
|
OCSP
|
Enable to dynamically check for revoked certificates.
- Certificate Verification—Select the CA certificate
used to verify the signature on the OCSP response.
- No revoke status check for CA delegated signing cert—Select
this option if you do not want the original CA certificate to verify
the validity of the CA delegated OCSP signing certificate. When enabled,
the validity of the OCSP signing certificate is verified by original
CA certificate.
- URL of OCSP Responder—Provide the URL address of
the OCSP server.
|
Configuring Simple Certificate Enrollment Protocol
Alternatively, you can use Simple Certificate Enrollment
Protocol (SCEP) to get a local certificate automatically. To enable
SCEP for a managed device, configure the default PKI settings
for SCEP as described in Table 2.
Table 2: Simple Certificate
Enrollment Protocol
PKI settings
|
Your Action
|
CA CGI
|
Enter the URL address of the certificate authority certificate
generation information.
|
RA CGI
|
Enter the URL address of the registration authority certificate
generation information that the security device contacts to request
a CA certificate.
|
CA IDENT
|
Enter the name of the certificate authority to confirm certificate
ownership.
|
Challenge
|
Enter the challenge word(s) sent to you by the CA that confirm
the security device identity to the CA.
|
CA Certificate Authentication
|
Configure the default method for obtaining CA certificates:
- Auto—Select this option for CA certificates retrieved
through SCEP.
- Manual—Select this option for CA certificates retrieved
manually.
|
Polling Interval
|
NSM searches the list of the pending certificates based on this
setting and records the time due for the first pending certificate.
This process repeats 48 times; after that time, pending certificates
can be polled only manually. When polling succeeds, NSM removes the
pending certificate from the pending certificate list and schedules
no new polling.
- Poll—When enabled, you can configure the number
of minutes between polls.
- Do not poll—Use this option to disable automatic
polling.
|
Published: 2009-08-20
