Define additional VPN certificate authorities

If you want to use certificates that are signed by an external CA, define an additional VPN CA.

Before you begin

You must have the root certificate (or a valid certificate) from the certificate authority.

You must define additional VPN CAs in the following cases:
  • In a VPN with an external gateway where you do not want to use the Internal RSA CA for Gateways or the Internal ECDSA CA for Gateways to create a certificate for the external gateway. The external gateway must also be configured to trust the issuer of the certificate.
  • If you want to use a certificate signed by an external CA for a VPN Gateway or for a VPN client.
Note: Only the Internal RSA CA for Gateways and Internal ECDSA CA for Gateways of your SMC are configured as trusted CAs for gateways in VPNs by default. The Internal RSA CA for Gateways is automatically created when you install the SMC.

You can configure the CA as trusted by importing its root certificate or a valid certificate signed by the CA. The certificates must be X.509 certificates in PEM format (Base64 encoding). It might be possible to convert between formats using, for example, OpenSSL or the certificate tools included in Windows.

The CAs you use can be either private (for self-signed certificates) or public (commercial certificate issuers). When you define a CA as trusted, all certificates signed by that CA are valid until their expiration date (or until the CA’s certificate expires). Optionally, you can also set up the SMC to check the certificate revocation status from certificate revocation lists (CRLs) or through the OCSP protocol. The CA can cancel a certificate, for example, because it is compromised.

By default, all CAs you have defined are trusted by all gateways and in all VPNs. If necessary, you can limit trust to a subset of the defined CAs when you configure the VPN Gateway and VPN Profile elements. The trust relationships can be changed at the gateway level and in the VPN Profiles.

To obtain a certificate from an external certificate authority, first create a certificate request.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Other Elements > Certificates > VPN Certificate Authorities.
  3. Right-click VPN Certificate Authorities, then select New VPN Certificate Authority.
  4. Type a Name for the element. This name is only for your reference.
    Note: All fields but the Name on the General tab are grayed out. The grayed out fields are always filled in automatically based on information contained in the certificate you import. You cannot change the information in the grayed out fields. The information is shown when you close and reopen the VPN Certificate Authority element after importing the information.
  5. Click the Certificate tab, then do one of the following:
    • Click Import, then import a certificate file.
    • Copy and paste the information into the field on the tab (including the “Begin Certificate” header and “End Certificate” footer).
    Tip: You can copy and paste the certificate information for many public certificate authorities from the default Trusted Certificate Authority elements. The default Trusted Certificate Authority elements are in the Configuration view under Administration > > Certificates > Certificate Authorities > Trusted Certificate Authorities.
  6. (Optional) If you want the Firewalls to check the revocation status of certificates signed by this CA, on the Validation tab, select the following options:
    • To activate CRLs for certificate status checking, select Check Validity on Certificate-Specified CRLs.
    • To activate OCSP certificate status checking, select Check Validity on Certificate-Specified OCSP Servers.
  7. (Optional) To define more CRL servers to check in addition to those defined in the certificates, click Add, then select an option:
    • To select an existing element or to define a new LDAP Server element, LDAP Server Element.
    • To enter the address, select Manual LDAP Server Address.
    Example: ldap://example.com:389
  8. (Optional) To define more OCSP servers to check in addition to those defined in the certificates, click Add, then enter an address.
    Example: http://ocsp.example.com
    CAUTION:
    When certificate checking is defined, all certificates signed by the CA are treated as invalid if the validity check cannot be performed. For example, the validity check might not be performed due to incorrectly entered addresses or connectivity problems.
  9. Click OK.
    If you see an invalid certificate error, the certificate you imported might be in an unsupported format. Try converting the certificate to an X.509 certificate in PEM format (Base64 encoding) using OpenSSL or the certificate tools included in Windows.

    If your Firewall Policy is based on the Firewall Template, both LDAP (port 389) and HTTP (port 80) connections from the Firewall are allowed. If your firewall or server configuration differs from these standard definitions, edit the Firewall Policy to allow the necessary connections from the Firewalls.

VPN Certificate Authority Properties dialog box

Use this dialog box define the properties of a VPN Certificate Authority element.

Option Definition
General tab
Name Enter a name for the element. This name is only for your reference.
Note: All fields but the Name on the General tab are grayed out. The grayed out fields are always filled in automatically based on information contained in the certificate you import and you cannot change the information in them. The information is shown when you close and reopen the VPN Certificate Authority element after importing the information.
Signature Algorithm Shows the signature algorithm that was used to sign the certificate.
Valid From Shows the start date of certificate validity.
Valid To Shows the end date of certificate validity.
Fingerprint (SHA-1) Shows the certificate fingerprint using the SHA-1 algorithm.
Fingerprint (MD5) Shows the certificate fingerprint using the MD5 algorithm.
Fingerprint (SHA-512) Shows the certificate fingerprint using the SHA-512 algorithm.
Status The status of the certificate.
Option Definition
Certificate tab
Export Exports the certificate text.
Import Opens a file browser to import a certificate file.
Option Definition
Validation tab
Check Validity on Certificate-Specified CRLs When selected, the validity of the certificate is checked on a certificate revocation list.
Additional CRL Servers Shows the selected CRL servers.
Add Adds a CRL server to the Additional CRL Servers list.
  • LDAP Server Element — Select from an existing element or to define a new LDAP Server element.
  • Manual LDAP Server Address — Manually type the address in a dialog that opens.
Remove Removes the selected CRL server.
Check Validity on Certificate-Specified OCSP Servers Activates OCSP certificate status checking.
Additional OCSP Servers Shows the selected OCSP servers.
Add Opens the Add OCSP Server dialog box.
Remove Removes the selected OCSP server.

Add CRL Server dialog box

Use this dialog box to add a CRL server address to a VPN Certificate Authority element.

Option Definition
Enter a Manual LDAP Server Address Enter the address of the server.

An example of the address is ldap://example.com:389.

Add OSCP Server dialog box

Use this dialog box to add an OSCP server address to a VPN Certificate Authority element.

Option Definition
Enter a Manual OCSP Server Address

Enter the address of the server.

An example of the address is http://ocsp.example.com.