Restrict the trusted CAs for a VPN gateway
Certificate Authorities (CA) verify certificate authenticity with their signatures. By default, the gateways trust all VPN CAs, but you can restrict the trusted CAs.
Before you begin
You must have more than one VPN Certificate Authority element.
When you restrict the trusted CAs for a VPN gateway, the VPN gateways accept certificates only from the trusted CAs that you select. When you restrict the trusted CAs for an external VPN gateway, the system uses the trusted CA definition in the External VPN Gateway element to check that all gateways have the necessary certificates.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Access the
Trusted SD-WAN Certificate Authorities settings in one of the following ways:
- Right-click a Engine element, select Edit <element type>, then browse to .
- Right-click an External SD-WAN Gateway element, select Properties, then click the Trusted CAs tab.
- Select Trust only selected, then select one or more CAs.
-
Save the changes in one of the following ways:
- In the Engine Editor, click Save.
- In the External SD-WAN Gateway Properties dialog box, click OK.
External SD-WAN Gateway Properties dialog box
Use this dialog box to define the properties of an External VPN Gateway element.
Option | Definition |
---|---|
General tab | |
Name | Specifies the unique name of the element. |
Gateway Profile | Shows the selected gateway profile. |
Select | Opens the Select Element dialog box. |
Category | Shows the assigned category. |
Select | Opens the Category Selection dialog box. |
Comment | An optional comment for your own reference. |
Option | Definition |
---|---|
Endpoints tab | |
Search | Opens a search field. Enter a search parameter to locate an endpoint. Clicking X removes the search field. |
New | External Endpoint — Adds an external endpoint IP address. Opens the External Endpoint Properties dialog box. |
Tools |
|
Add | Opens the External Endpoint Properties dialog box. |
Edit | Opens the External Endpoint Properties dialog box for the selected endpoint. |
Remove | Removes the selected endpoint from the list. |
Option | Definition |
---|---|
Sites tab | |
Search | Opens a search field for the selected element list. |
Up (Backspace) | Navigates up one level in the navigation hierarchy. Not available at the top level of the navigation hierarchy. |
Tools |
|
Add | Adds the selected element to the content list. |
Remove | Removes the selected element from the content list. |
Content | Shows the selected elements. |
Option | Definition |
---|---|
Trusted CAs tab | |
Trust All | The gateway accepts any valid CA that is configured, unless restricted in the VPN element. |
Trust only selected | Only selected CAs are accepted. Select the CAs that the Gateway must trust. |
Engine Editor > SD-WAN > Certificates
Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.
Option | Definition |
---|---|
Automated RSA Certificate Management | When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
|
Trusted SD-WAN Certificate Authorities | Restricts which certificate authorities the VPN gateway trusts.
|