Create a VPN certificate or certificate request for a VPN Gateway element

You can create a certificate request and sign it either using an Internal CA for Gateways or an external certificate authority (CA).

If automated RSA certificate management is active for the VPN Gateway, these steps are necessary only in the following cases:
  • You have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways. Only the default CA is used in automated RSA certificate management. You must manually create and renew any certificates that are not signed by the default CA.
  • You want to use DSA certificates.
  • You want to create a certificate request to be signed by an external CA.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Select Gateways.
    The gateways are displayed.
  3. Right-click the VPN Gateway element and select Tools > Generate Certificate.
  4. In the Generate Certificate dialog box, enter the certificate information.
  5. Select the Public Key Algorithm according to the requirements of your organization.
    Note: The Public Key Algorithm can be different from the internal CA type. For example, you can use RSA key algorithm with an Internal ECDSA CA for Gateways.
  6. Select how you want to Sign the certificate.
  7. (Optional) Select the Signature Algorithm used to sign the certificate signing request and for an internal CA to sign the certificate.
    • If you selected an Internal CA for Gateways, you can define the Signature Algorithm if the selected Public Key Algorithm is compatible with the algorithm used by the Internal CA. In other cases, the default algorithm for the Internal CA is used (for example, RSA / SHA-256 for Internal RSA CA for Gateways).
    • If you selected an external certificate authority, you can define a Signature Algorithm that is compatible with the selected Public Key Algorithm type.
  8. (Optional, if supported by the Public Key Algorithm) Enter the Key Length for the generated public-private key pair.
    • The default Key Length depends on the Public Key Algorithm.
    • The Key Length cannot be changed for some Public Key Algorithms.
  9. Click OK.
    There might be a slight delay while the certificate request is generated. If you signed the certificate using an Internal CA for Gateways, the certificate is automatically transferred to the Firewall and no further action is needed.
    The signed certificate or unsigned certificate request is added under the gateway in the gateway list.
  10. (With external certificate authorities only) Right-click the certificate request, select Export Certificate Request, and save it.
    • To generate certificates for a VPN Gateway element, the CA must support PKCS#10 certificate requests in PEM format (Base64 encoding). The signed certificates must also be in the PEM format. It might be possible to convert between formats using, for example, OpenSSL or the certificate tools included in Windows.
    • The CA must be able to copy all attributes from the certificate request into the certificate. In particularly, the X.509 Subject Alternative Name extension must be copied as it is in the request when the value is used for identification in VPN negotiation.
    When you receive the signed certificate, import it.

VPN Certificate Request Properties dialog box

Use this dialog box to view the properties of a VPN certificate request, export a VPN certificate request, or import a signed certificate.

Option Definition
General tab
Subject Name Shows the identifier of the certified entity. Not editable.
Request Type Show the requested type of certificate and the message digest algorithm. Not editable.
Key Length Shows the requested key length. Not editable.
Gateway Shows the VPN Gateway element for which the certificate request was generated. Not editable.
Sign Internally with Clicking the link signs the certificate using the default internal certificate authority,
Export Clicking the link exports the certificate request so that you can sign it using an external certificate authority. Opens the Export Certificate Request dialog box.
Import Certificate Clicking the link allows you to import a signed certificate. Opens the Import Certificate dialog box.
Option Definition
Certificate tab
Certificate text area Shows the certificate request as text. You can copy and paste the certificate request into an external application to sign the certificate. The field is not editable.

Generate Certificate dialog box

Use this dialog box to generate a certificate for a VPN Gateway element.

Option Definition
Organization (O)

(Optional)

The name of your organization as it should appear in the certificate.
Organizational Unit (OU)

(Optional)

The name of your department or division as it should appear in the certificate.
Country/Region (C)

(Optional)

Standard two-character country code for the country of your organization.
State/Province (ST)

(Optional)

The name of state or province as it should appear in the certificate.
Locality (L)

(Optional)

The name of the city or locality as it should appear in the certificate.
Common Name (CN) The fully qualified domain name (FQDN) of the authentication page as it should appear in the certificate.
Public Key Algorithm Select the public key algorithm according to the requirements of your organization.
  • DSA — Digital Signature Algorithm.
  • RSA — RSA key generation algorithm.
  • ECDSA — Elliptic Curve Digital Signature Algorithm, a variant of the Digital Signature Algorithm (DSA) that uses elliptic curve cryptography.
Sign
With External Certificate Authority Select this option if you want to create a certificate request that another certificate authority signs.
Internally with Select this option to sign the certificate using an Internal CA for Gateways. If more than one valid internal certificate authority is available, select the internal CA that signs the certificate request. There can be multiple valid Internal CAs for Gateways in the following cases:
  • There is both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways.
  • The Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available. Select the new CA in this case.
Key Length Length of the key for the generated public-private key pair.

The default is 2048 bits.

Gateway Shows the selected gateway element. Not editable.