Cisco VPN 3000 Series Concentrator


Creating A CSR for the VPN 3000 Series Concentrator

Please note, as of January 2011, all CSR’s must be generated with a key length of 2048

Creating an Enrollment Request for an SSL Certificate for VPN 3000 Series Concentrators

An Enrollment request for an SSL certificate consists of a base 64 encoded PKCS#10 file that the VPN Concentrator generates based on information you provide in the steps that follow.

Note: You must get the SSL certificate for a LAN-to-LAN connection from the same CA that issued its CA certificate.

Step 1. In the Administration | Certificate Management screen. Click Click here to Enroll with a Certificate Authority. The Administration | Certificate Management | Enroll screen displays.

Figure 1 Administration | Certificate Management | Enroll Screen
Cis-CSR1

Step 2. Click Identity certificate. The Administration | Certificate Management | Enroll | SSL certificate screen displays.

Figure 2 Administration | Certificate Management | Enroll | SSL certificate Screen
Cis-CSR2

Step 3. Click Enroll via PKCS10 Request (Manual). The Administration | Certificate Management | Enroll | SSL certificate | PKCS10 Screen displays.

Figure 3 Administration | Certificate Management | Enroll | SSL certificate | PKCS10 Screen
Cis-CSR3

Step 4. Enter values in each of the fields on this screen. (above)

Step 5. When you have finished, click Enroll. The Administration | Certificate Management | Enroll | Request Generated screen displays

Figure 4 Administration | Certificate Management | Enroll | Request Generated Screen
Cis-CSR4

The Manager displays this screen when the system has successfully generated a certificate request.

Note You must complete the Enrollment and certificate installation process within one week of generating the request. If you do not, the pending request is deleted .As the screen text indicates, within a few seconds, a browser window opens with the certificate request.

Figure 5 Example of a Certificate Request
Cis-CSR5

You have generated a base 64 encoded PKCS#10 file (Public Key Certificate Syntax-10), which most CAs recognize or require. The system automatically saves this file in Flash memory with the filename shown in the browser (pkcsNNNN.txt).

In generating the request, the system also generates the private key used in the PKI process. That key remains on the VPN Concentrator in encrypted form.

Step 6. Save the request in to disk to be pasted into the CSR Request field for when you order the certificate online.

Step 7. Close this browser window when you have finished.

Requesting an SSL certificate from a CA for VPN 3000 Series Concentrator

Next you submit the SSL request. This must be the same CA that issued the CA certificate for this LAN-to-LAN connection. Submit the request and retrieve an SSL certificate according to the procedures of your CA.