Use the stop keyword to specify that the certificate is already trusted. This is the
default setting.
Use the continue keyword to specify that the that the subordinate CA certificate
associated with the trustpoint must be validated.
The parent-trustpoint argument specifies the name of the parent trustpoint the
certificate must be validated against.
Note: A trustpoint associated with the root CA cannot be configured to be validated to
the next level. The chain-validation command is configured with the continue keyword
for the trust point associated with the root CA, an error message will be displayed and
the chain validation will revert to the default chain-validation command setting.
4. Exit:
TOE-common-criteria(ca-trustpoint)# exit
4.6.4.8
Certificate Validation
By default the TOE will validate the certificate of the IPsec peer including a Basic Constraints
extension. No configuration is required by the administrator. Optionally as a way to test a Basic
Constraints extension, the administrator can add subject name restrictions to the CA root
trustpoint. Refer to How to Configure Certificate Enrollment for a PKI" in [22]. A portion of an
example TOE configuration follows below.
TOE-common-criteria (config)# crypto pki certificate map <certificate map name> 1
subject-name co example
TOE-common-criteria (config)# crypto pki trustpoint CAroot
TOE-common-criteria (ca-trustpoint)# enrollment terminal
TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name>
TOE-common-criteria (ca-trustpoint)#end
TOE-common-criteria (config)# crypto pki trustpoint CA sub
TOE-common-criteria (ca-trustpoint)# enrollment terminal
TOE-common-criteria (ca-trustpoint)# subject-name CN=example.organization.com,OU=Spiral
Dept,O=Example
TOE-common-criteria (ca-trustpoint)# match certificate <certificate map name>
TOE-common-criteria (ca-trustpoint)#end
The administrator should find an error message stating that certificate chain validation has failed
because a certificate in the chain was not a valid CA certificate.
4.6.4.9
Setting X.509 for use with IKE
Once X.509v3 keys are installed on the TOE, they can be set for use with IKEv1 with the
commands:
TOE-common-criteria (config)#crypto isakmp policy 1
TOE-common-criteria (config-isakmp)# authentication rsa-sig
Page 40 of 72