Sign external VPN certificate requests with an internal certificate authority

You can use an internal certificate authority to sign VPN certificate requests for VPN clients and internal VPN gateways.

Before you begin

For VPN clients, you must have a PKCS#10 certificate request file in PEM format. For internal VPN gateways, you must have already generated a certificate request.

The SMC’s Internal RSA CA for Gateways and Internal ECDSA CA for Gateways can be used to sign external certificate requests. You can also use an internal certificate authority to sign any certificate request that is in the supported format (PKCS#10 certificate requests in PEM format). An alternative is to configure the Internal Gateway to accept an externally signed certificate by defining the external certificate issuer as trusted.

If more than one valid internal certificate authority is available, you can select which internal CA signs the certificate request. There can be multiple valid Internal CAs for Gateways in the following cases:
  • There is both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways.
  • The Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available.
Make sure that the date, time, and time zone are all set correctly on the Management Server and on the external component that uses the certificate. Certificates are valid for three years starting from the date and time they are created. The validity start and end date and time are written in the certificate and are enforced in the authentication.
Note: The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways do not support certificate revocation lists. It is not possible to cancel an internally signed certificate before it expires.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Sign VPN Client certificates.
    1. Select Tools > Sign VPN Client Certificate.
      Tip: You can sign any X.509 certificate requests in this dialog box (not only VPN client certificate requests).
    2. If more than one valid internal certificate authority is available, select which internal CA signs the certificate request.
      Note: If the Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available, select the new CA.
    3. Browse to the certificate request file on your local workstation or copy and paste the content of the certificate request into the dialog box.
      If you copy and paste the certificate request, include the Begin Certificate Request header and the End Certificate Request footer.
    4. Click Sign.
      The certificate is signed and the Export Certificate dialog box opens. Click the Certificate tab to view the validity information for the certificate.
    5. Click the General tab, then click Export to save the certificate for transfer to the device that needs it.
    6. Click OK.
  3. Sign certificate requests for internal VPN gateways.
    1. Click Gateways, then expand the VPN Gateway element for which you generated a certificate request.
    2. Right-click the certificate request, then select Sign Internally.
    3. If more than one valid internal certificate authority is available, select which internal CA signs the certificate request.
      Note: If the Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available, select the new CA.
    4. Click Sign.

Sign VPN Client Certificate dialog box

Use this dialog box to sign VPN Client Certificates.

Option Definition
Sign with If more than one valid internal certificate authority is available, select which internal CA signs the certificate request. There can be multiple valid Internal CAs for Gateways in the following cases:
  • There is both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways.
  • The Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available. Select the new CA in this case.
From File Specifies the path to the file.
Browse Browse to the certificate request file on your local workstation.
As Text Use this text box to copy and paste the content of the certificate request into the dialog (including the "Begin Certificate Request" header and the "End Certificate Request" footer).
Sign The certificate is signed and the Export Certificate dialog opens.

Sign Certificate Request dialog box

Use this dialog box to sign certificate requests for internal VPN gateways.

Option Definition
Sign With If more than one valid internal certificate authority is available, allows you to select which internal CA signs the certificate request.
  • <default internal CA> — The default internal CA element signs the certificate.
  • Select — Allows you to select a CA element. Opens the Select dialog.
Sign Signs the certificate using the selected CA, then closes the window.