Index
Numerics
802.1X, 204-206
A
AAA, configuring, 51-53
ACS, configuring, 188-195
AnyConnect
on SSL VPNs, 178-183
troubleshooting, 183-185
any-to-any technologies, 240
applications, UC, 201-207
ASA
IPSec VPN, configuring, 218-233
IPSec VPN, deploying, 156-163
TLS phone proxy feature, 206-207
ASN.1, 20-21
asymmetric encryption, 5-6
digital signatures, 7-8
authentication, 5
AAA, 51-53
example, 76-91
IKE with preshared authentication, 110
SSL VPNs, configuring, 177-183
authenticity, 3
authorization, AAA, 51-53
auto-enrollment, 44-45
B
best practices
GETVPN deployment, 135-153
for PKI deployment, 110-135
C
CA (Certification Authority), 22-24
private, 23
public, 23-24
sub-CAs, 24-25
subordinate CAs, configuring, 99
CAPF (Certificate Authority Proxy Function), 198, 200
certificates, 15-22
auto-enrollment, 44-45
CA, 22-24
sub-CAs, 24-25
devices as recipient, 28
enrollment process, 37-44, 63-75
on Cisco VPN client, 164-165
manual enrollment, 38-43
SCEP-based enrollment, 43-44
extensions, 19
fields, 18-19
import process, troubleshooting, 65-71
local certificates, 198
LSC, 198
MIC, 197-198
PEM format, 20
revoking, 47-50
rollover, 45-46
router configuration, 12-13
shadow certificates, 45
storing
Cisco IOS, 29-33
Linux, 29
Mac OS, 29
Microsoft Windows, 28-29
smartcards, 34-35
structure, 16
verifying, 46-53
CRLs, 47-50
viewing, 17-18
chaining certificates, 99
hierarchical enterprise architecture, 104-107
Cisco ASA, viewing certificate information, 32-33
Cisco IOS
certificates
information, viewing, 30-33
storing, 29-33
enrollment process versus enrollment on Cisco ASA, 160
Cisco VPN client, enrollment process, 164-165
commands
crypto key command, 12-13
show crypto pki timers command, 74
confidentiality, 2
configuring
AAA, 51-53
ACS, 188-195
DMVPN
hub-and-spoke deployment model, 117-124
spoke-to-spoke deployment model, 124-130
external FTP servers, 54
GETVPN, dual key server deployment, 135-138
IPSec VPN on Cisco ASA, 218-233
NTP, 66-67
OCSP, 50-51
PKI for CVO, 212-215
SSL VPNs, certificate authentication, 177-183
sub-CAs, 99
creating
CSR, 69-71
CVO in SOHO environment, 211
digital signatures, 7-8
trust, 198-199
CRLs (certificate revocation lists), 47-50
crypto key command, 12-13
cryptography, 1
digital signatures, 7-8
hashes, 6-7
CSM (Cisco Security Manager)
ASA, configuring IPSec VPNs, 218-233
DMVPN, deploying, 234-240
GETVPN, deploying, 240-245
CSR (Certificate Signing Request), creating, 69-71
CTL (Certificates Trusted List) file, 198
CVO (Cisco Virtual Office), 209-211
PKI configuration, 212-215
D
deploying
DMVPN with CSM, 234-240
GETVPN with CSM, 240-245
IPSec VPN on Cisco ASA, 156-163
PKI, best practices, 110-135
DER (Distinguished Encoding Rules), 20
DES, 4
devices
as certificate recipient, 28
enrollment process, 73-75
digital signatures, 7-8
verifying, 8
displaying
certificate content, 63-64
installed certificates, 72-73
DMVPN
deploying with CSM, 234-240
deployment models, 112-114
hub-and-spoke deployment model, 117-124
migrating to digital certificates, 130-135
spoke-to-spoke deployment model, 124-130
dual key server deployment (GETVPN), 135-138
E
Cisco VPN client, 163-177
asymmetric encryption, 5-6
digital signatures, 7-8
symmetric encryption, 3-4
DES, 4
endpoints, 27-28
enrollment process, 37-44, 63-75
on Cisco VPN client, 164-165
comparing Cisco IOS and Cisco ASA, 160
CSR, creating, 69-71
devices, 73-75
IP phones, 201
manual enrollment, 38-43
RAs, 26
SCEP-based enrollment, 43-44, 69-71
enterprise architecture
flat architecture, 98
hierarchical enterprise architecture, 98-102
with chaining, 104-107
without chaining, 102-105
examples, certificate use and validation, 76-91
expiration (certificates), 44-46
exportable key pairs, 59-60
exporting key pairs, 22
extensions of certificates, 19
external FTP servers, configuring, 54
F
fields of certificates, 18-19
flat enterprise architecture, 98
flow charts, troubleshooting process, 92-94
FTP servers, configuring, 54
G
GETVPN, 135-136
deploying with CSM, 240-245
deployment models, dual key server deployment, 135-138
PKI integration, 138-145
troubleshooting, 146-153
grant auto, 45
H
hashes, 6-7
hierarchical enterprise architecture, 98-102
with chaining, 104-107
without chaining, 102-105
hierarchical PKIs, 24-26
hub-and-spoke deployment model, 117-124
hub-and-spoke deployment model (DMVPN), 112-114
I
identity-based networking, 802.1X, 187-188
IKE (Internet Key Exchange), 8-12
Phase 1, 9-10
Phase 2, 12
preshared authentication, 110
VPNs, 109-110
importing key pairs, 60-63
installed certificates, displaying, 72-73
installing certificates on IP phones, 200-201
integrating GETVPN with PKI, 138-145
integrity, 2
IP phones
certificates, installing, 200-201
configuration files, securing, 201-207
IPSec VPN, 155-163
configuring on Cisco ASA, 218-233
K
key pairs
exportable, 59-60
exporting, 22
importing, 60-63
labels, 58-59
key sizes, 57-58
L
labels, 58-59
Linux, certificate storage, 29
local certificates, 198
LSC (Locally Significant Certificate), 198
M
Mac OS, certificate storage, 29
manual enrollment process, 38-43
MIC (Manufacturer Installed Certificate), 197-198
Microsoft Windows
ACS, configuring, 188-195
certificate storage, 28-29
migrating DMVPN to digital certificates, 130-135
N
nonrepudiation, 3
NTP, configuring, 66-67
O
OCSP (Online Certificate Status Protocol), configuring, 50-51
OpenSSL, 63
certificates, viewing, 17-18
P
PEM (Privacy Enhanced Mail), 20
Phase 1 (IKE), 9-10
Phase 2 (IKE), 12
preshared authentication, IKE, 110
private CAs, 23
public CAs, 23-24
R
RAs (Registration Authorities), 26-27
recipients of certificates, devices versus users, 28
remote access
Easy VPN, 218
IPSec VPN, 155-163
VPNs, IKE, 109-110
renewing certificates, 44-46
resiliency, 53-54
revoking certificates, 47-50
rollover, 45-46
RSA algorithm, 6
S
SA (Security Association), 109-110
scenarios, certificate use and validation, 76-91
SCEP (Simple Certificate Enrollment Protocol), 69-71
enrollment process, 43-44
security, endpoints, 27-28
shadow certificates, 45
show crypto pki timers command, 74
signatures, construction, 7-8
smartcards, certificate storage, 34-35
SOHO environment
creating CVO, 211
spoke-to-spoke deployment model (DMVPN), 112-114, 124-130
SRTP (Secure Real Time Protocol), 201-202
SSL VPNs
AnyConnect, 178-183
troubleshooting, 183-185
certificate authentication, configuring, 177-183
standards, 35-36
X.509v3 standard, 19
storing certificates
Cisco IOS, 29-33
Linux, 29
Mac OS, 29
Microsoft Windows, 28-29
smartcards, 34-35
structure of certificates, 16
sub-CAs, 24-25
configuring, 99
symmetric encryption, 3-4
DES, 4
T
TLS phone proxy feature (ASA), 206-207
troubleshooting
AnyConnect, 183-185
certificates, import process, 65-71
flow charts, 92-94
GETVPN deployment, 146-153
key pairs, import process, 60-63
trust, creating, 198-199
UC (Unified Communications), 197-199
802.1X, 204-206
ASA TLS phone proxy, 206-207
CAPF, 200
certificates, IP phone installation, 200-201
IP phones, securing configuration files, 201-207
local certificates, 198
MIC, 197-198
SRTP, 201-202
trust, creating, 198-199
V
validating certificates, example, 76-91
verifying
certificates, 46-53
CRLs, 47-50
digital signatures, 8
viewing
certificate information
on Cisco ASA, 32-33
on Cisco IOS, 30-33
VPNs
DMVPN
hub-and-spoke deployment model, 117-124
migrating to digital certificates, 130-135
spoke-to-spoke deployment model, 124-130
Easy VPN, 156
Cisco VPN client, 163-177
GETVPN, 135-136
dual key server deployment, 135-138
troubleshooting, 146-153
IKE, 109-110
IPSec VPN, 155-163
configuring on Cisco ASA, 218-233
deploying on Cisco ASA, 156-163
PKI integration, 115-116
SSL VPNs
AnyConnect, 178-183
certificate authentication, configuring, 177-183
X
X.509v3 standard, 19-22