80 Chapter 3 Using certificatesNN46110-6005 Click OK. The Installed Tunnel Certificates table displays the certificateentry.6 Enable Allow All, if desired.7 Click OK. You now have the CA certificate which remote users canauthenticate. Repeat this operation if multiple CAs are issuing usercertificates.Optionally, you can configure a CRL distribution point to enable revocationchecking of client certificates. Click System > Certificates: Installed TunnelCertificates: CA Details, enter the appropriate CRL Information, and clickOK.The Enabled check box enables CRL checking of certificates for a particular CA.The Search Base, Host, Connection, and values must be set for proper access tothe CRL LDAP directory store.Setting certificate parametersYou can set the following parameters from the System > Certificates > CertificateConfiguration window:1 Under Certificate Signature Requirements, select Key Usage ExtensionRequired if you want the Key Usage V3 extension present in all certificatespresented as part of a tunnel initiation (user and branch office).2 Under Certificate Signature Requirements, select Validate Issuer if you donot accept a subordinate CA without a parent CA. If the check is not set, asubordinate CA is accepted even if it is not validated.3 Under Installed Tunnel and Transport Certificates, enable Allow All toallow in all tunnel requests authenticated by a particular CA, providing asignificant configuration savings because individual users do not have to beprovisioned into the VPN Router.4 Select Trusted if the certificate is trusted. For CA certificates, this indicatesthat tunnel requests presenting this issuer as the signer of their certificate aretrusted. For server certificates, this is a method of turning off the certificatewithout deleting it.