Using certificate-based authentication

You can use certificates for authentication in any IPsec VPN, and also with route-based VPNs.

In all site-to-site VPNs and in mobile VPNs with third-party VPN clients, you can select whether to use certificates or a pre-shared key for authentication. With the Stonesoft VPN Client, the following types of authentication are available:

  • Hybrid authentication requires the presence of a valid certificate on the gateway and some other form of authentication from the VPN client user.
  • Certificate exchange authentication requires a certificate from both the gateway and the VPN client.

Certificates often provide a higher level of security than pre-shared keys. Certificates only have to be renewed at an interval of a few years, and have an automatic expiration mechanism that makes sure the certificate is renewed. Certificate files cannot be compromised in transit, because they cannot be used without a private key. This illustration outlines the basics of how a certificate is generated.

Figure: VPN certificate creation

When a certificate request process is started, a private key is generated and stored.
The certificate requester uses the private key to generate a certificate request that is transferred to the certificate authority (CA).
The CA signs the certificate request, which validates the certificate.
The signed certificate is transferred to the original certificate requester.

The certificate creation is either automatic or manual:

  • For VPN gateways, all steps can be automatic if the default internal CA for gateways is used for signing the certificate. If another certificate authority is used, the certificate request is exported from the SMC and the signed certificate is imported back into the SMC.
  • For VPN clients, the certificate request file is created manually in the VPN client and transferred manually to be signed by an internal certificate authority in the SMC or another certificate authority. The signed certificate is then transferred manually into the VPN client computer.

Private keys are always generated automatically. If the private key is lost, such as due to a hardware failure, any associated certificate becomes unusable and a new certificate must be created. The private key is securely and automatically synchronized between clustered firewall nodes to allow all nodes to use the same certificate.

Unlike pre-shared keys, certificates do not need to be distributed to all gateways in the VPN. Instead, the other gateways are configured to trust the CA that signed the certificate, after which they trust all certificates from that issuer. This trust relationship also allows renewing or re-creating the certificate on one gateway without having to reconfigure the other gateways. Only certificates from trusted CAs are accepted for authentication. For this reason, VPN gateways must be configured to trust the CAs that sign the certificates that the other gateways use for authentication.