PGPNet/Entrust

Scott Armstrong scotta at GNAC.COM
Fri Feb 4 19:18:38 EST 2000 

I submitted this note a while back and have now figured out how to get it to work (with some help from some great people at both NAI and Entrust).  I thought I'd drop the list a note in case anyone else treaded the same water.  Please note, I often say to read the documentation.  The Entrust documentation is great and you need to read it to do anything.  The NAI docs only really tell how to get it to work with other NAI products.  These instructions are meant to be a bridge between the two.

>Does anyone have some tips on getting Entrust certificates into 
>PGPNet.  I'm using Entrust 5.0 with pre-5.0 client compatibility and VPN Connector 4.1.
>The directory is PeerLogic 8.a.2 with both LDAP v2 and v3 capabilities.  My
>main problem is getting the CA root certificate into the PGP client.  As
>soon as that's done I should be able to install my client certificate into
>my key ring.  Problem is, it doesn't seem to want to work.

First of all, to get Entrust to work with most VPN products, you need the Entrust VPN Connector.  This is an enrollment/management workstation that listens for requests and then approves or denies them.  It can take requests in two ways (1) read the request from a file or (2) listen for requests online.  The online requests are for devices that use the Cisco Enrollment Protocol (CEP).  It turns out PGPNet uses CEP.  There are some extra steps you need to take when configuring the Entrust CA for CEP requests, but these are all documented very well in the VPN Connector installation documentation.  However, here's a couple of notes on the installation:

- If you're going to be using the VPN Connector, make sure that the directory is configured for LDAPv2 connectivity.
- Be sure to edit the entmgr.ini (server only) and entrust.ini (server and client) files.
- Change the default CA search base to "Certification Authority" as described in the documentation.  Edit the SearchBase entry in entrust.ini as well.

In order for CEP devices to send certificates, they need to attach to a web site.  With VPN Connector, the web site is something like http://your.ip.address/cgi-bin/pkiclient.exe for an IIS box.  When VPN Connector is installed, these files live in the "Program Files\Entrust\VPN Connector\Cgi\Win32" directory (there's also a Solaris version near there).  Follow the documentation to get the web site set up and running.

Before PGPKeys can send requests to the VPN Connector, you need to import the "CA Root" key.  When you install VPN Connector, a file called vpnconcacert.pem is created in the root of the VPN Connector directory.  This file contains the information you need.  The information in the file needs to be given to the client (through the functioning web site is one way).  The client needs to copy the information in the file and then paste it into the PGPKeys window (all of it, including the Begin and End lines).  This starts up the import key function.  When finished, sign the imported key and make it a Meta-Introducer.

Now were almost ready to create the request.  But first, we need to tell PGP about the registration server.  Open PGPKeys and select Edit | Preferences and go to the CA tab.  The URL field should be filed in with the information on how to get to the web site (http://your.ip.address/cgi-bin/pkiclient.exe), the type should be Entrust (I'm not completely sure about the Revocation URL, but I've been using <ip.address.of.directory>:389).  In the Root Certificate box click on "Select Certificate" and chose the certificate you just imported.

Now, make sure your web server is running and log into VPN Connector.  Put VPN Connector into the "Listen for new requests" state (making sure the port number is that same you entered when you configured the web sites vpnconcgi.cfg file, yeah I didn't mention it earlier but I did say follow the documentation and it's detailed there).

Back to PGPKeys and select Keys | Add | Certificate.  The default information should show the clients current IP and the PGPKeys user e-mail address.  Add in any other information needed (I had to add "Organizational Unit" (ou=), "Organization" (o=) and "Country" (c=)).  If everything has been done correctly, you should be welcomed by a nice little message saying that the server got your request.

Back to the VPN Connector.  You should see the pending request listed there.  You can try to approve it, but you'll get an error (something like "Invalid name 15064").  What happens is, PGP sticks an extra field into the request that Entrust doesn't like.  So we need to go take it out of the request.  Close down VPN Connector and open the requestFile.txt file (it's in the same place as the vpnconcacert.pem file).  Once that's open, find the request you just made (there may be many requests if you have pending ones).  Next, find the line starting with "Description=PGPKeyCreation=" (without the quotes).  Select the whole line and delete it.  Save the file, go back into VPN Connector and approve the request.  It will now succeed.

Back to PGPKeys.  Select Server | Retrieve Certificate and it should be retrieved successfully.

Next you configure PGPNet to work with GVPN, but that's another story.

Note: These instructions have been tried with PGP 6.5.3 on NT and 6.5.2a on the Mac.  I don't guarantee this is the proper way to do it, only that it seems to have worked for me.

Thanks to everyone who helped with this,
Scott Armstrong

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list