For certificate authentication, perform the following procedure, which varies according the type of certificate you are using:
If the field says No Certificates Installed and is shaded, then you must first enroll for a certificate before you can use this feature. For information on enrolling for a certificate, see "Enrolling and Managing Certificates" or consult your network administrator.
To send CA certificate chains, click Send CA Certificate Chain. This parameter is disabled by default.
The CA certificate chain includes all CA certificates in the hierarchy of certificates from the root certificate, which must be installed on the VPN Client, to the identity certificate. This feature enables the peer VPN Concentrator to trust the VPN Client's identity certificate given the same root certificate, without having all the same subordinate CA certificates actually installed.
Example 2-1 CA Certificate Chains
On the VPN Client, you have this chain in the certificate hierarchy:
On the VPN Concentrator, you have this chain in the certificate hierarchy
Though the identity certificates are issued by different CAs, the VPN Concentrator can still trust the VPN Client's identity certificate, since it has received the chain of certificates installed on the VPN Client PC.
This feature provides flexibility since the intermediate CA certificates don't need to be actually installed on the peer.
Note Certificate chains are not supported for Entrust Entelligence. Therefore the Send CA Certificate Chain checkbox on the Authentication Tab is unchecked and disabled when you select Entelligence Certificate.
Optionally you might want to verify that the certificate you are using is still valid, using the following procedure:
Select the certificate in the list of certificates underneath the Certificates tab.
Display the Certificates menu or right click on the certificate name, and choose Verify.
The VPN Client displays a message to let you know whether the certificate is valid.
If you have an Entrust Entelligence certificate enrolled, the menu includes the entry "Entelligence Certificate (Entrust)." An Entrust Entelligence certificate is stored in a Profile, which you obtain when you log in to Entrust Entelligence.
Choose Entelligence Certificate (Entrust) from the menu.
For more information about connecting with Entrust Entelligence, see "Connecting with an Entrust Certificate."
If you are using a smart card or electronic token to authenticate a connection, create a connection entry that defines the certificate provided by the smart card. For example, if you are using ActivCard Gold, an accompanying certificate is in the Microsoft Certificate Store. When you create a new connection entry for using the smart card, choose that certificate.
The VPN Client supports authentication with digital certificates through a smart card or an electronic token. There are several vendors that provide smart cards and tokens, including the following:
The VPN Client works only with smart cards and tokens that support CRYPT_NOHASHOID.
Copyright © 1998-2004, Cisco Systems, Inc. All rights reserved.