Entrust Authority: Enrollment Server for VPN

Get Technical

What is Entrust Authority™ Enrollment Server for VPN?
What are some of the key benefits of Enrollment Server for VPN?
What VPN devices does the Enrollment Server for VPN support?
What standards does the Enrollment Server for VPN use?
Does the Enrollment Server for VPN support IPsec and IKE?
How many Enrollment Servers are supported on a single Entrust Authority Security Manager?
What is the relationship between the Enrollment Server for VPN and Entrust Authority IPSEC Toolkit for C?
What are the differences in capabilities between a system that implements the IPSEC Toolkit for C versus a system that implements SCEP [AC1] or PKCS#10?
Does the Enrollment Server have to be co-located with the Security Manager?

What is Entrust Authority Enrollment Server for VPN? (top)
The Enrollment Server for VPN is an optional component of Entrust Authority Security Manager. The Enrollment Server for VPN manages certificate enrollment for VPN devices such as routers, gateways, firewalls, and VPN access applications that support IPSec and IKE (Internet Key Exchange) standards.

The Enrollment Server for VPN supports VPN devices and applications that enroll in their public-key infrastructure (PKI) using the Simple Certificate Enrollment Protocol (SCEP) supported by Cisco^® Systems or PKCS#10 certificate requests supported by many other VPN device vendors.

Entrust VPN Solutions take advantage of the Enrollment Server for VPN in addition to offering support for Entrust digital IDs and tight integration with products from VPN vendors Cisco, Nortel and Check Point.
What are some of the key benefits of the Enrollment Server for VPN? (top)
- Reducing administration costs — Certificates are automatically posted to directories, thereby eliminating the need to download files or run additional utilities. Since the CRL is also automatically updated, there is no need to manually administer files. By using the Security Manager to manage all public-key based security applications (including VPNs) overall security administration costs can be reduced.
- Simplified support services — Support for all Entrust Authority components including the Security Manager and the Enrollment Server for VPN are provided by the same Entrust support team.
- Benefits of Security Manager — Since the Enrollment Server for VPN is an extension of the proven Entrust Authority product portfolio, enterprises are able to take advantage of Entrust Authority features such as security management and CA cryptographic hardware. Additionally, devices using Enrollment Server for VPN certificates are trusted by compatible devices using other PKI-Aware VPN solutions. Overall, security costs can be reduced while taking advantage of the flexibility associated
What VPN devices does the Enrollment Server for VPN support? (top)

The Enrollment Server for VPN supports IPSec and IKE enabled VPN devices that use certificates to enhance the scalability of their respective VPN solutions. The Enrollment Server for VPN supports VPN devices and applications that enroll in their Security Manager using the Simple Certificate Enrollment Protocol (SCEP is used by Cisco^® devices) or PKCS#10 certificate requests in either PEM/BASE64 or binary format. The Enrollment Server for VPN can distribute certificates as ASN.1 files or within PKCS#7 messages.

What standards does the Enrollment Server for VPN use? (top)
Supported standards include: X.509 v3, PKCS#10, PKCS#7, PEM/BASE64, ASN.1, MD-5, SHA-1, LDAP v2, RSA 1024, DES 56, CAST 128.
Does Enrollment Server for VPN support IPsec and IKE? (top)
The Enrollment Server for VPN enrolls devices that support IPSec and IKE. The Enrollment Server for VPN does not need to support IPSec and IKE itself.
How many Enrollment Servers for VPN are supported on a single Entrust Authority Security Manager? (top)
There is no restriction to the number of Enrollment Servers for VPN that can be supported by a single Security Manager.
What is the relationship between Enrollment Server for VPN and the IPSec Toolkit for C? (top)
Many third-party VPN vendors use the Entrust Authority™ IPSec Toolkit for C to implement IKE or PKI support in their VPN client software. These products use the PKIX-CMP protocol (RFC2510) for digital certificate enrollment. However, these vendors often build their own security support capabilities for their dedicated VPN gateway devices rather than integrating the device with the IPSEC Toolkit for C. Typically, the enrollment methods supported by these devices are PKCS#10 or the SCEP protocol. In these cases, an Enrollment Server for VPN can be used to provide digital certificates to the VPN gateway. Since the digital certificate supplied to the two communicating nodes are from the same Security Manager, the VPN devices or applications will trust one another, and successful secure session negotiation can take place.

What are the differences in capabilities between a system that implements the IPSEC Toolkit for C vs a system that implements SCEP or PKCS#10? (top)

	Entrust Authority™ IPSEC Toolkit for C	Entrust Authority™ Enrollment Server for VPN (SCEP and PKCS#10)
Supports X.509 v3 certificates	Yes	Yes
Supports certificate revocation	Yes	Yes
Reads certificates & CRLs from directory	Yes	VPN device dependent
Certificate Registration	Transparent (uses Activation code for enrollment)	Manual ¹
Certificate update	Automatic	Manual ¹
Shared credentials with other Entrust-Ready desktop applications	Yes	No
Single Login for desktop applications	Yes	No
SCEP support	No	Yes
PKCS#10 support	No	Yes

^1. Requires manual authentication and integrity checking. This is typically done with telephone calls between device administrators and CA administrators.

Does the Enrollment Server for VPN have to be co-located with the Security Manager? (top)
No. The Enrollment Server for VPN can be co-located with the Entrust CA or configured to operate in a physically remote location. Communication between the Enrollment Server for VPN and Security Manager is secured using Entrust's Secured Exchange Protocol (SEP) to protect information exchange.