Requesting a VPN Client Certificate

If the issuing Jurisdiction is configured to allow end users to select a certificate extension profile, tell them to select the VPN/IPsec profile on the certificate request form.

The end user requests a certificate in the usual way, using a browser.

Issuing a VPN Client Certificate

To issue a VPN client certificate:

1. Click Certificate Operations and view the active requests of the issuing Jurisdiction.

2. Select and vet a request, making sure that the VPN/IPsec certificate extension profile is selected.

The VPN/IPsec profile adds two mandatory extensions to the certificate,Authority Key Identifier and Subject Key Identifier (these values are calculated by Certificate Manager), and two recommended extensions, Extended Key Usage and Key Usage.

Note: VPN client certificates do not require these key usage options. However,RSA recommends that you add them to strictly conform with the Microsoft VPN client certificate.

Extension Must Contain:

Extended Key Usage Client Authentication (1.3.6.1.5.5.7.3.2)

Key Usage Digital Signature

Key Encipherment

Key AgreementCtificate Manager with the Microsoft Windows PKI Admintrator?s Guide

3. Click Issue Certificate.

A series of Client Certificate Extension Values pages opens.

4. Review each page, providing configuration details or values, if needed, and click Next.

Under extKeyUsage, change the extension OID to 1.3.6.1.5.5.7.3.2 for client authentication from 1.3.6.1.5.5.7.3.5 for IPSec end system, which is already specified.

Important: If the Extended Key Usage extension is selected, the OID specified for Extended Key Usage must be 1.3.6.1.5.5.7.3.2 for client authentication.