[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] CA & IKE
After finish all the step below I use user certicate to logon the error say user cn=test,o=abc,c=us is unknow How do the fw know what certificate for what user? Also, there is no where in the FW workstation, user, or CA property say that it should point to the CA server by IP address to get the user certificate Can any body help clear this? -----Original Message----- From: Emmanuel Bailleul [mailto:[email protected]] Sent: Wednesday, January 31, 2001 1:34 AM To: 'MIS'; FW1 mailinglist Subject: RE: [FW1] CA & IKE Didn't try yet but it should. After you have setup your Win2K CA server : 1. Create a CA server in your fw 2. Generate a certificate request for your fw object (manage network objects -> your_fw_object, in the certificate tab) 3. Install the generated certificate for the fw 4. Generate a user certificate and create a pkcs12 export of it 5. Import it in securemote (certificates -> import). This will create an entrust profile (.epf file) 6. Last but not the least, don't forget to have your crl server online (LDAP or HTTP) as fw-1 will not accept securemote connections if you don't have one (even if the list is empty ...). 7. Update site in SR This works with pki other than entrust (baltimore, RSA Keon) and even with non opsec ones (OpenSSL). For the latter, this is a little bit more tricky as you have to use HTTP-based crl server and so you have to create all your client certificates with the CRLdistributionPoint extension in it. Emmanuel Bailleul Ascom Adilan SA Parc des Glaisins 14, Rue du Pré-Paillard 74940 ANNECY-LE-VIEUX Tel. +33 (0)4 50 64 02 49 Fax. +33 (0)4 50 64 09 98 WEB: http://www.adilan.fr "S'il n'y a pas de solution, c'est qu'il n'y a pas de problème" - Devise Shadock -----Message d'origine----- De: MIS [mailto:[email protected]] Date: mardi 30 janvier 2001 20:45 À: FW1 mailinglist Objet: [FW1] CA & IKE Can Win2k CA be use to issue certificate for SecuRemote IKE encryption? If yes, any procedure how to set it up? Thanks in advance ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|