|
•
|
Details
- the details of the certificate. Moving the pointer over the
 icon displays the details of the certificate. |
To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWALL security appliance using the System > Certificates page. Once you import the valid CA certificate, you can use it to validate your local certificates.
A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWALL has implemented this standard in its third party certificate support.
You can use a certificate signed and verified by a third party CA to use with an IKE (Internet Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use digital certificates to authenticate peer devices before setting up SAs. Without digital certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices or clients using digital signatures do not require configuration changes every time a new device or client is added to the network.
A typical certificate consists of two sections: a data section and a signature section. The data section typically contains information such as the version of X.509 supported by the certificate, a certificate serial number, information about the user’s public key, the Distinguished Name (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature.
SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates. SonicWALL security appliances have been tested with the following vendors of Certificate Authority Certificates:
|
•
|
|
•
|
|
•
|
|
•
|
The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates.
The View Style menu allows you to display your certificates in the Certificates and Certificate Requests table based on the following criteria:
|
•
|
All Certificates
- displays all certificates and certificate requests.
|
|
•
|
Imported certificates and requests
- displays all imported certificates and generated certificate requests.
|
|
•
|
Built-in certificates
- displays all certificates included with the SonicWALL security appliance.
|
|
•
|
Include expired and built-in certificates
- displays all expired and built-in certificates.
|
The Certificates and Certificate Requests table displays the following information about your certificates:
|
•
|
Certificate
- the name of the certificate.
|
|
•
|
Type
- the type of certificate, which can include CA or Local.
|
|
•
|
Validated
- the validation information.
|
|
•
|
Expires
- the date and time the certificate expires.
|
|
•
|
Details
- the details of the certificate. Moving the pointer over the
icon displays the details of the certificate. |
|
•
|
|
–
|
Also displays the Import icon
 to import either certificate revocation lists (for CA
certificates) or signed certificates (for Pending requests). |
Clicking on the icon in the Details column of the Certificates and Certificate Requests table lists information about the certificate, which may include the following, depending on the type of certificate:
The details shown in the Details mouseover popup depend on the type of certificate. Certificate Issuer , Certificate Serial Number , Valid from , and Expires On are not shown for Pending requests since this information is generated by the Certificate provider. Similarly, CRL Status information is shown only for CA certificates and varies depending on the CA certificate configuration.
After your CA service has issued a Certificate for your Pending request, or has otherwise provided a Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates may also be imported to verify local Certificates and peer Certificates used in IKE negotiation.
To import a certificate from a certificate authority, perform these steps:
|
Step 1
|
|
Step 2
|
Select
Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file
. The Import Certificate
window settings change.
|
|
Step 3
|
Enter the path to the certificate file in the
Please select a file to import
field or click Browse
to
locate the certificate file, and then click Open
to set the directory path to the certificate.
|
|
Step 4
|
Click
Import
to import the certificate into the SonicWALL security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests
table.
|
|
Step 5
|
Moving your pointer to the
icon in the
Details
column displays the certificate details information. |
To import a local certificate, perform these steps:
|
Step 1
|
|
Step 2
|
Enter a certificate name in the
Certificate Name
field.
|
|
Step 3
|
Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the
Certificate Management Password
field.
|
|
Step 4
|
Enter the path to the certificate file in the
Please select a file to import
field or click Browse
to
locate the certificate file, and then click Open
to set the directory path to the certificate.
|
|
Step 5
|
Click
Import
to import the certificate into the SonicWALL security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests
table.
|
|
Step 6
|
Moving your pointer to
icon in the
Details
column displays the certificate details information. |
To delete the certificate, click the delete icon. You can delete a certificate if it has expired or if you decide not to use third party certificates for VPN authentication.
|
Tip
|
You should create a Certificate Policy to be used in conjunction with local certificates. A
Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate.
|
To generate a local certificate, follow these steps:
|
Step 1
|
Click the
New Signing Request
button. The Certificate Signing Request window is displayed.
|
|
Step 2
|
In the
Generate Certificate Signing Request
section, enter an alias name for the certificate in the Certificate Alias
field.
|
|
Step 3
|
Select the Request field type from the menu, then enter information for the certificate in the
Request fields. As you enter information in the Request fields, the Distinguished Name (DN) is created in the Subject Distinguished Name
field.
|
You can also attach an optional Subject Alternative Name to the certificate such as the Domain Name or E-mail Address .
|
Step 4
|
The
Subject Key
type is preset as an RSA
algorithm. RSA is a public key cryptographic algorithm used for encrypting data.
|
|
Step 5
|
Select a Subject Key size from the
Subject Key Size
menu.
|
|
Note
|
Not all key sizes are supported by a Certificate Authority, therefore you should check with
your CA for supported key sizes.
|
|
Step 6
|
Click
Generate
to create a certificate signing request file. Once the Certificate Signing
Request
is generated, a message describing the result is displayed.
|
|
Step 7
|
Click
Export
to download the file to your computer, then click Save
to save it to a directory on your computer. You have generated the Certificate Request
that you can send to your Certificate Authority for validation.
|
edit and delete 
icons for editing or deleting a certificate entry.