Define additional VPN certificate authorities

If you want to use certificates that are signed by an external CA, define an additional VPN CA.

Before you begin

You must have the root certificate (or a valid certificate) from the certificate authority.

You must define additional VPN CAs in the following cases:
  • In a VPN with an external gateway where you do not want to use the Internal RSA CA for Gateways or the Internal ECDSA CA for Gateways to create a certificate for the external gateway. The external gateway must also be configured to trust the issuer of the certificate.
  • If you want to use a certificate signed by an external CA for a VPN Gateway or for a VPN client.
Note: Only the Internal RSA CA for Gateways and Internal ECDSA CA for Gateways of your SMC are configured as trusted CAs for gateways in VPNs by default. The Internal RSA CA for Gateways is automatically created when you install the SMC.

You can configure the CA as trusted by importing its certificate to VPN Certificate Authorities. The certificates must be X.509 certificates in PEM format (Base64 encoding). It might be possible to convert between formats using, for example, OpenSSL or the certificate tools included in Windows.

The CAs you use can be either private (for self-signed certificates) or public (commercial certificate issuers). When you define a CA as trusted, all certificates signed by that CA are valid until their expiration date (or until the CA’s certificate expires). Optionally, you can also enable certificate revocation checking by the VPN gateways by enabling validity check options in the properties of the VPN Certificate Authority element. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) are supported when the issued certificates contain pointers for the revocation information. The CA can cancel a certificate, for example, because it is compromised.

By default, all CAs you have defined are trusted by all gateways and in all VPNs. If necessary, you can limit trust to a subset of the defined CAs when you configure the VPN Gateway and VPN Profile elements. The trust relationships can be changed at the gateway level and in the VPN Profiles.

To obtain a certificate from an external certificate authority, first create element for the certificate authority.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Other Elements > Certificates > VPN Certificate Authorities.
  3. Right-click VPN Certificate Authorities, then select New VPN Certificate Authority.
  4. On the General tab, configure the settings.
    Note: All fields but the Name on the General tab are grayed out. The grayed out fields are always filled in automatically based on information contained in the certificate you import. You cannot change the information in the grayed out fields. The information is shown when you close and reopen the VPN Certificate Authority element after importing the information.
    CAUTION:
    When certificate checking is defined, all certificates signed by the CA are treated as invalid if the validity check cannot be performed. For example, the validity check might not be performed due to incorrectly entered addresses or connectivity problems.
  5. On the Certificate tab, import the certificate in one of the following ways:
    • Click Import, then import a certificate file.
    • Copy and paste the information into the field. Include the “Begin Certificate” header and “End Certificate” footer in the information that you copy and paste.
    Tip: You can copy and paste the certificate information for many public certificate authorities from the default Trusted Certificate Authority elements. The default Trusted Certificate Authority elements are in the Configuration view under Administration > > Certificates > Certificate Authorities > Trusted Certificate Authorities.
  6. Click OK.

Next steps

If you see an invalid certificate error, the certificate you imported might be in an unsupported format. Try converting the certificate to an X.509 certificate in PEM format (Base64 encoding) using OpenSSL or the certificate tools included in Windows.

If your Firewall Policy is based on the Firewall Template, both LDAP (port 389) and HTTP (port 80) connections from the Firewall are allowed. If your firewall or server configuration differs from these standard definitions, edit the Firewall Policy to allow the necessary connections from the Firewalls.

VPN Certificate Authority Properties dialog box

Use this dialog box define the properties of a VPN Certificate Authority element.

Option Definition
General tab
Name Enter a name for the element. This name is only for your reference.
Note: All fields but the Name on the General tab are grayed out. The grayed out fields are always filled in automatically based on information contained in the certificate you import and you cannot change the information in them. The information is shown when you close and reopen the VPN Certificate Authority element after importing the information.
Signature Algorithm Shows the signature algorithm that was used to sign the certificate.
Valid From Shows the start date of certificate validity.
Valid To Shows the end date of certificate validity.
Fingerprint (SHA-1) Shows the certificate fingerprint using the SHA-1 algorithm.
Fingerprint (MD5) Shows the certificate fingerprint using the MD5 algorithm.
Fingerprint (SHA-512) Shows the certificate fingerprint using the SHA-512 algorithm.
Status The status of the certificate.
Check Validity on Certificate-Specified CRLs Select this option if you want the Firewalls to check the revocation status of certificates signed by this CA on a certificate revocation list.
Check Validity on Certificate-Specified OCSP Servers Select this option if you want the Firewalls to check the revocation status of certificates signed by this CA on an OCSP server.
Option Definition
Certificate tab
Export Exports the certificate text.
Import Opens a file browser to import a certificate file.

Add CRL Server dialog box

Use this dialog box to add a CRL server address to a VPN Certificate Authority element.

Option Definition
Enter a Manual LDAP Server Address Enter the address of the server.

An example of the address is ldap://example.com:389.

Add OSCP Server dialog box

Use this dialog box to add an OSCP server address to a VPN Certificate Authority element.

Option Definition
Enter a Manual OCSP Server Address

Enter the address of the server.

An example of the address is http://ocsp.example.com.