Archived
TD0140: FCS_IPSEC_EXT.1.12, Test 1 - Importing of Private Key and Certificate
Publication Date
2017.01.19
Protection Profiles
PP_VPN_IPSEC_CLIENT_V1.4
Other References
FCS_IPSEC_EXT.1.12
Issue Description
The FCS_IPSEC_EXT.1.12 Test Assurance Activity requires the evaluator to generate a CSR using the TOE/platform for use during testing. However, most VPN clients for mobile devices are not designed to issue their own CSRs, and CSR-issuing functionality is not required or directly available to users to meet the MDF PP (so CSR issuance isn't necessarily available on an evaluated mobile device). Resolution
For FCS_IPSEC_EXT.1.12, the Assurance Activity for Test 1 has been updated as follows: Test 1: The evaluator shall have the TOE/platform generate a public-private key pair, and submit a CSR (Certificate Signing Request) to a CA (trusted by both the TOE/platform and the peer VPN used to establish a connection) for its signature. The values for the DN (Common Name, Organization, Organizational Unit, and Country) will also be passed in the request. Alternatively, the evaluator may import to the TOE/platform a previously generated private key and corresponding certificate. Justification
Not all TOE platforms will be able to generate certificate requests, therefore the Test AA was updated to allow the option of importing a private key and certificate. |