Restrict the trusted CAs for a VPN gateway

Certificate Authorities (CA) verify certificate authenticity with their signatures. By default, the gateways trust all VPN CAs, but you can restrict the trusted CAs.

Before you begin

You must have more than one VPN Certificate Authority element.

When you restrict the trusted CAs for a VPN gateway, the VPN gateways accept certificates only from the trusted CAs that you select. When you restrict the trusted CAs for an external VPN gateway, the system uses the trusted CA definition in the External VPN Gateway element to check that all gateways have the necessary certificates.

Tip: You can also restrict trusted CAs in VPN Profiles.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Access the Trusted VPN Certificate Authorities settings in one of the following ways:
    • Right-click a Firewall element, select Edit <element type>, then browse to VPN > Certificates.
    • Right-click an External VPN Gateway element, select Properties, then click the Trusted CAs tab.
  2. Select Trust only selected, then select one or more CAs.
  3. Save the changes in one of the following ways:
    • In the Engine Editor, click Save.
    • In the External VPN Gateway Properties dialog box, click OK.

External VPN Gateway Properties dialog box

Use this dialog box to define the properties of an External VPN Gateway element.

Option Definition
General tab
Name Specifies the unique name of the element.
Gateway Profile Shows the selected gateway profile.
Select Opens the Select Element dialog box.
Category Shows the assigned category.
Select Opens the Category Selection dialog box.
Comment An optional comment for your own reference.
Option Definition
Endpoints tab
Search Opens a search field. Enter a search parameter to locate an endpoint. Clicking X removes the search field.
New External Endpoint — Adds an external endpoint IP address. Opens the External Endpoint Properties dialog box.
Tools
  • Expand All — Expands all elements.
  • Collapse All — Collapses all elements.
  • Refresh View — Updates the element list.
  • Remove — Removes the selected row from the table.
Add Opens the External Endpoint Properties dialog box.
Edit Opens the External Endpoint Properties dialog box for the selected endpoint.
Remove Removes the selected endpoint from the list.
Option Definition
Sites tab
Search Opens a search field for the selected element list.
Up (Backspace) Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
Add Adds the selected element to the content list.
Remove Removes the selected element from the content list.
Content Shows the selected elements.
Option Definition
Trusted CAs tab
Trust All The gateway accepts any valid CA that is configured, unless restricted in the VPN element.
Trust only selected Only selected CAs are accepted. Select the CAs that the Gateway must trust.

Engine Editor > VPN > Certificates

Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.

Option Definition
Automated RSA Certificate Management When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
Trusted VPN Certificate Authorities Restricts which certificate authorities the VPN gateway trusts.
  • Trust all — The VPN gateway trusts all certificate authorities. This option is the default setting.
  • Trust only selected — The VPN gateway trusts only the certificate authorities that you select in the table.