Select which internal certificate authority signs each certificate

When there is more than one valid CA, you can select which CA signs each certificate.

The Management Server includes a dedicated Internal RSA CA for Gateways for signing VPN certificates. You can optionally also create an Internal ECDSA CA for Gateways. If you have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways, only one certificate authority can be selected as the default certificate authority. If you want to sign a certificate with the certificate authority that is not the default CA, you must select which Internal CA for Gateways you want to use.

The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways are each valid for 10 years. A new Internal RSA CA for Gateways or Internal ECDSA CA for Gateways is automatically created to replace the default certificate authority six months before the expiration date. The certificate authority that is not selected as the default certificate authority is not automatically renewed. You must manually renew the certificate authority.

If the default certificate authority is in the process of being renewed, there is temporarily an extra valid Internal CA for Gateways. In this case, select the new Internal CA for Gateways to sign the certificate.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Certificate Properties dialog box, select Other in the Internally with field.
  2. (Optional) Right-click an Internal CA for Gateways and select Properties. Check the following information in the Properties dialog box to make sure that you are selecting the correct Internal CA for Gateways:
    • Validity information in the Valid from and Valid to fields.
    • Status information:
      • Active — You can use this Internal CA for Gateways to sign certificates.
      • Renewal Started — This certificate authority is a new Internal CA for Gateways that the SMC has created automatically. The process of renewing VPN certificates has begun.
      • Expires Soon — A new Internal CA for Gateways has been created but some components might still use certificates signed by this Internal CA for Gateways.
      • Inactive — This Internal CA for Gateways has expired or no SMC components use a certificate signed by this internal VPN CA.
  3. Select the CA you want to use and click Select.

Properties dialog box (VPN Certificate)

Use this dialog box to define the properties of a VPN Certificate.

Option Definition
General tab
Subject Name The identifier of the certified entity.
Public Key Algorithm The algorithm used for the public key.
Key Length Shows the length of the key in bits.
Signature Algorithm Shows the signature algorithm that was used to sign the certificate.
Signed By Shows the CA that signed the certificate.
SubjectAltName The subject alternative name fields of the certificate.
Valid From Shows the start date of certificate validity.
Valid To Shows the end date of certificate validity.
Fingerprint (SHA-1) Shows the certificate fingerprint using the SHA-1 algorithm.
Fingerprint (MD5) Shows the certificate fingerprint using the MD5 algorithm.
Fingerprint (SHA-512) Shows the certificate fingerprint using the SHA-512 algorithm.
Gateway The VPN gateway used.
Option Definition
Certificate tab
Certificate text area Shows the text of the certificate. The field is not editable.