Use this procedure if you plan to use digital certificates for authenticating for this connection entry.
You can obtain a digital certificate for use with the VPN Client by enrolling with a Public Key Infrastructure (PKI) or by importing a certificate from a file.
To configure this connection entry for a digital certificate:
If the Name field displays No Certificates Installed, you must first enroll or import a certificate before you can use this feature. See the Enrolling Certificates topic or Importing a Certificate topic for more information.
To send CA certificate chains, check the Send CA Certificate Chain check box. This parameter is disabled by default.
A CA certificate chain includes all CA certificates in the certificate hierarchy from the root certificate. This must be installed on the VPN Client to identify each certificate. This feature enables a peer VPN Concentrator to trust the VPN Client's identity certificate given the same root certificate, without having the same subordinate CA certificates actually installed.
The following is an example of a certificate chain:
On the VPN Client, you have this chain in the certificate hierarchy:
On the VPN Concentrator, you have this chain in the certificate hierarchy
Though the identity certificates are issued by different CA certificates, the VPN device can still trust the VPN Client's identity certificate, because it has received the chain of certificates installed on the VPN Client PC.
This feature provides flexibility because the intermediate CA certificates do not need to be installed on the peer.
Copyright © 2003, Cisco Systems, Inc. All rights reserved.