Configuring the Screen to Use CA Signed Certificates

The following sections describe how you would set up the Screen and the Windows 2000 system to interoperate.

Set Up the Screen

1. Generate a Certificate Signing Request

   1. From the Common Objects panel, select Generate IKE Certificate

   2. When the IKE Certificate dialog appears, click the Generate CA Request button; see Figure 9-4

      Figure 9-4 Generate CA Signing Request

      
      

   3. Fill in the required fields.

      Type in a Distinguished Name and make sure that the Encryption Type and Key Size match the related parameters used by the Windows 2000 system for its own certificate.

   4. Click the Generate button.

      SunScreen generates a Certificate Signing Request (CSR) and also creates and stores a private key. The following figure shows the CSR.

      Figure 9-5 IKE CA Certificate Signing Request

      
      

      You can copy the text or save into a file for use in your signing request.

2. Present the CSR to the CA.

   Have the certificate signed and acquire the new certificate.

3. Import the CA signed certificate into the Screen

   1. From the common Objects panel, choose Import IKE Certificate. The Import IKE Certificate screen appears

   2. Specify a name and description.

   3. Choose an import method

      Click the appropriate button and then either specify a file to import or paste the signed certificate into the text area.

   4. Click the Install Certificate button.

4. Add the IKE Root CA Certificate to the Screen.

   You accomplish this task by adding the Root CA certificate to the IKE root CA Certificates GROUP object.

   1. Acquire the Root CA certificate and import it into the Screen's certificate store.

   2. After you finish the import, in the Common Objects panel, search for the IKE root CA certificates object.

      When you find the object, select it and click the edit button. The Certificates object dialog appears. See Figure 9-6.

      Figure 9-6 Import Root CA

      
      

   3. Select the Root CA certificate you want and add it to the Include List.

   4. Click OK to finish the task.

5. Edit the Root CA certificate object.

   A requirement of Windows 2000 for IKE interoperability is that you must specify the Root CA certificate by its ISSUER Distinguished Name.

   1. Search for the Root CA certificate object.

      When you find the correct object click the Edit button.

   2. Edit the Distinguished Name.

      In the Distinguished Name, change the first qualifier from SUBJECT to ISSUER. Keep the value of the qualifier the same, only change the handle.