thanks a lot, dalini,
i will do it according to your guidelines as soon as possible.
Furthermore, can you send the link of your guide when you'll publish
it?
greetings
Matteo
----- Original Message -----
From: dalini <[EMAIL PROTECTED]>
Date: Saturday, March 20, 2004 2:15 pm
Subject: Re: [Openca-Users] Openca 0.9.2rc3 & PIX
> [EMAIL PROTECTED] wrote:
>
> > Hi all,
> > is there a step-by-step guide to realize enrollment between PIX
> 6.2 and
> > OpenCA 0.9.2rc3?
> > Thanks to all
>
> not that detailed - at the documentation there are all necessary steps
> the pix setup u take from cisco documentation
>
> but i will provide a step by step guide around next week
> for setting up a cisco based environment with openca
>
> based on pix 6.3 (but its the same steps for older software
> versions and the cisco vpn client for windows)
>
> but in short - very basic:
> - install openca (like it fits your needs)
> have a look into openca-documentation how to do this ;o)
> - during initialisation steps of the ca just generate one more
> ra-certificate (role should be web-server)
> - this one you have to put somewhere inside the ra-file-space
> and set the paths (inlcuding filename of key and cert) at the
> scep section in .../etc/config.xml
>
> but actually this should be also mentioned at the openca-documentation
> how to setup scep...
>
> at the pix side you have to set as type ra not ca:
> then authenticate and the start the enrollment
> example: ca conf test ra 3 10
>
> after the enrollment you will find a normal request at the ra
> you just process through your pki system...
>
> when the final certificate is published at the ra, the pix will
> fetch it
> automatically if its inside the specified timeout (example above
> 30min)
> bevor a client can connect you have to fetch the crl or for
> testing
> purposes you can give the "crloptional" paramter at the "ca conf"
> command (for details see cisco documentation, also how to fetch a
> crl
> manually)
>
> if you enroll with ipaddress or serialnumber you have to provide
> the it
> in the subject alternative name as dns or ip and at the dn as
> requested
> (unstructuredAddress for example), openca supports the required
> certificate fields...
>
> for the client-certificates you have to keep in mind, to setup the
> vpn-group names at the pix corresponding to an existing "ou"
> inside the
> certificates
>
> so if you have a vpn-group named test - there must! be an ou field
> inside the client certificate which has a value of "test"
> otherwise the
> pix will not find any matching configuration and your client will
> not be
> able to establish a vpn-connection to the pix as vpn-gateway
>
> at the pix you usally see then something like - it could not give
> an
> internal ip to the client, therefore kills the connection, since
> no
> matching vpn-group is found...
>
> so phase 1 will work (verification of certificates), but phase 2
> will
> usally die because of this common pitfall (but its mantioned at
> the pix
> documentation, but one can easily overread this ;o) and the error
> description is a bit irritating...
>
> hope this helps for the moment
>
>
> greetings
> dalini
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Openca-Users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/openca-users
>
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
