Define additional VPN certificate authorities
You can define several certificate authorities.
Before you begin
You must have the root certificate (or a valid certificate) from the certificate authority.
- In a VPN with an external gateway where you do not want to use the Internal RSA CA for Gateways or the Internal ECDSA CA for Gateways to create a certificate for the external gateway. The external gateway must also be configured to trust the issuer of the certificate.
- If you want to use a certificate signed by an external CA for a VPN Gateway or for a VPN client.
You can configure the CA as trusted by importing its root certificate or a valid certificate signed by the CA. The certificates must be X.509 certificates in PEM format (Base64 encoding). It might be possible to convert between formats using, for example, OpenSSL or the certificate tools included in Windows.
The CAs you use can be either private (for self-signed certificates) or public (commercial certificate issuers). When you define a CA as trusted, all certificates signed by that CA are valid until their expiration date (or until the CA’s certificate expires). Optionally, you can also set up the SMC to check the certificate revocation status from certificate revocation lists (CRLs) or through the OCSP protocol. The CA can cancel a certificate, for example, because it is compromised.
By default, all CAs you have defined are trusted by all gateways and in all VPNs. If necessary, you can limit trust to a subset of the defined CAs when you configure the VPN Gateway and VPN Profile elements. The trust relationships can be changed at the gateway level and in the VPN Profiles.
To obtain a certificate from an external certificate authority, first create a certificate request.
For more details about the product and how to configure features, click Help or press F1.
Steps
VPN Certificate Authority Properties dialog box
Use this dialog box define the properties of a VPN Certificate Authority element.
Option | Definition |
---|---|
General tab | |
Name | Enter a name for the element. This name is only for your reference.
Note: All fields but the
Name on the
General tab are grayed out. The grayed out fields are always filled in automatically based on information contained in the certificate you import and you cannot change the information in them. The information is shown when you close and reopen the VPN Certificate Authority element after importing the information.
|
Signature Algorithm | Shows the signature algorithm that was used to sign the certificate. |
Valid From | Shows the start date of certificate validity. |
Valid To | Shows the end date of certificate validity. |
Fingerprint (SHA-1) | Shows the certificate fingerprint using the SHA-1 algorithm. |
Fingerprint (MD5) | Shows the certificate fingerprint using the MD5 algorithm. |
Fingerprint (SHA-512) | Shows the certificate fingerprint using the SHA-512 algorithm. |
Status | The status of the certificate. |
Option | Definition |
---|---|
Certificate tab | |
Export | Exports the certificate text. |
Import | Opens a file browser to import a certificate file. |
Option | Definition |
---|---|
Validation tab | |
Check Validity on Certificate-Specified CRLs | When selected, the validity of the certificate is checked on a certificate revocation list. |
Additional CRL Servers | Shows the selected CRL servers. |
Add | Adds a CRL server to the
Additional CRL Servers list.
|
Remove | Removes the selected CRL server. |
Check Validity on Certificate-Specified OCSP Servers | Activates OCSP certificate status checking. |
Additional OCSP Servers | Shows the selected OCSP servers. |
Add | Opens the Add OCSP Server dialog box. |
Remove | Removes the selected OCSP server. |
Add CRL Server dialog box
Use this dialog box to add a CRL server address to a VPN Certificate Authority element.
Option | Definition |
---|---|
Enter a Manual LDAP Server Address | Enter the address of the server. An example of the address is ldap://example.com:389. |
Add OSCP Server dialog box
Use this dialog box to add an OSCP server address to a VPN Certificate Authority element.
Option | Definition |
---|---|
Enter a Manual OCSP Server Address |
Enter the address of the server. An example of the address is http://ocsp.example.com. |