Define additional VPN certificate authorities
If you want to use certificates that are signed by an external CA, define an additional VPN CA.
Before you begin
You must have the root certificate (or a valid certificate) from the certificate authority.
- In a VPN with an external gateway where you do not want to use the Internal RSA CA for Gateways or the Internal ECDSA CA for Gateways to create a certificate for the external gateway. The external gateway must also be configured to trust the issuer of the certificate.
- If you want to use a certificate signed by an external CA for a VPN Gateway or for a VPN client.
You can configure the CA as trusted by importing its certificate to VPN Certificate Authorities. The certificates must be X.509 certificates in PEM format (Base64 encoding). It might be possible to convert between formats using, for example, OpenSSL or the certificate tools included in Windows.
The CAs you use can be either private (for self-signed certificates) or public (commercial certificate issuers). When you define a CA as trusted, all certificates signed by that CA are valid until their expiration date (or until the CA’s certificate expires). Optionally, you can also enable certificate revocation checking by the VPN gateways by enabling validity check options in the properties of the VPN Certificate Authority element. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) are supported when the issued certificates contain pointers for the revocation information. The CA can cancel a certificate, for example, because it is compromised.
By default, all CAs you have defined are trusted by all gateways and in all VPNs. If necessary, you can limit trust to a subset of the defined CAs when you configure the VPN Gateway and VPN Profile elements. The trust relationships can be changed at the gateway level and in the VPN Profiles.
To obtain a certificate from an external certificate authority, first create element for the certificate authority.
For more details about the product and how to configure features, click Help or press F1.
Steps
Next steps
If you see an invalid certificate error, the certificate you imported might be in an unsupported format. Try converting the certificate to an X.509 certificate in PEM format (Base64 encoding) using OpenSSL or the certificate tools included in Windows.
If your Firewall Policy is based on the Firewall Template, both LDAP (port 389) and HTTP (port 80) connections from the Firewall are allowed. If your firewall or server configuration differs from these standard definitions, edit the Firewall Policy to allow the necessary connections from the Firewalls.
VPN Certificate Authority Properties dialog box
Use this dialog box define the properties of a VPN Certificate Authority element.
Option | Definition |
---|---|
General tab | |
Name | Enter a name for the element. This name is only for your reference.
Note: All fields but the
Name on the
General tab are grayed out. The grayed out fields are always filled in automatically based on information contained in the certificate you import and you cannot change the information in them. The information is shown when you close and reopen the VPN Certificate Authority element after importing the information.
|
Signature Algorithm | Shows the signature algorithm that was used to sign the certificate. |
Valid From | Shows the start date of certificate validity. |
Valid To | Shows the end date of certificate validity. |
Fingerprint (SHA-1) | Shows the certificate fingerprint using the SHA-1 algorithm. |
Fingerprint (MD5) | Shows the certificate fingerprint using the MD5 algorithm. |
Fingerprint (SHA-512) | Shows the certificate fingerprint using the SHA-512 algorithm. |
Status | The status of the certificate. |
Check Validity on Certificate-Specified CRLs | Select this option if you want the Firewalls to check the revocation status of certificates signed by this CA on a certificate revocation list. |
Check Validity on Certificate-Specified OCSP Servers | Select this option if you want the Firewalls to check the revocation status of certificates signed by this CA on an OCSP server. |
Option | Definition |
---|---|
Certificate tab | |
Export | Exports the certificate text. |
Import | Opens a file browser to import a certificate file. |
Add CRL Server dialog box
Use this dialog box to add a CRL server address to a VPN Certificate Authority element.
Option | Definition |
---|---|
Enter a Manual LDAP Server Address | Enter the address of the server. An example of the address is ldap://example.com:389. |
Add OSCP Server dialog box
Use this dialog box to add an OSCP server address to a VPN Certificate Authority element.
Option | Definition |
---|---|
Enter a Manual OCSP Server Address |
Enter the address of the server. An example of the address is http://ocsp.example.com. |