To implement the use of certificates for VPN policies, you must locate a source for a valid CA
certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWALL security appliance using the System > Certificates
page. Once you import the valid CA certificate, you can use it to validate your local certificates.
This chapter contains the following sections:
A digital certificate is an electronic means to verify identity by a trusted third party known as a
Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWALL has implemented this standard in its third party certificate support.
You can use a certificate signed and verified by a third party CA to use with an IKE (Internet
Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use digital certificates to authenticate peer devices before setting up SAs. Without digital certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices or clients using digital signatures do not require configuration changes every time a new device or client is added to the network.
A typical certificate consists of two sections: a data section and a signature section. The data
section typically contains information such as the version of X.509 supported by the certificate, a certificate serial number, information about the user’s public key, the Distinguished Name (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature.
SonicWALL security appliances interoperate with any X.509v3-compliant provider of
Certificates. SonicWALL security appliances have been tested with the following vendors of Certificate Authority Certificates:
The
Certificate and Certificate Requests
section provides all the settings for managing CA and Local Certificates.
The
View Style
menu allows you to display your certificates in the Certificates
and Certificate
Requests
table based on the following criteria:
The
Certificates
and Certificate Requests
table displays the following information about your certificates:
|
|
•
|
Type
- the type of certificate, which can include CA or Local.
|
|
|
•
|
Expires
- the date and time the certificate expires.
|
|
|
•
|
Details
- the details of the certificate. Moving the pointer over the  icon displays the details of the certificate.
|
|
|
•
|
Configure
- Displays the  edit and delete  icons for editing or deleting a certificate entry.
|
Clicking on the icon in the
Details
column of the Certificates and Certificate Requests
table lists information about the certificate, which may include the following, depending on the type of certificate:
The details shown in the
Details
mouseover popup depend on the type of certificate. Certificate Issuer
, Certificate Serial Number
, Valid from
, and Expires On
are not shown for Pending requests since this information is generated by the Certificate provider. Similarly, CRL
Status
information is shown only for CA certificates and varies depending on the CA certificate configuration.
After your CA service has issued a Certificate for your Pending request, or has otherwise
provided a Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates may also be imported to verify local Certificates and peer Certificates used in IKE negotiation.
To import a certificate from a certificate authority, perform these steps:
|
Step 1
|
Click
Import
. The Import Certificate
window is displayed.
|
|
Step 2
|
Select
Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file
. The Import Certificate
window settings change.
|
|
Step 4
|
Click
Import
to import the certificate into the SonicWALL security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests
table.
|
To import a local certificate, perform these steps:
|
Step 1
|
Click
Import
. The Import Certificate
window is displayed.
|
|
Step 5
|
Click
Import
to import the certificate into the SonicWALL security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests
table.
|
To delete the certificate, click the delete icon. You can delete a certificate if it has expired or if
you decide not to use third party certificates for VPN authentication.
To generate a local certificate, follow these steps:
|
Step 1
|
Click the
New Signing Request
button. The Certificate Signing Request window is displayed.
|
|
Step 2
|
In the
Generate Certificate Signing Request
section, enter an alias name for the certificate in the Certificate Alias
field.
|
You can also attach an optional
Subject Alternative Name
to the certificate such as the Domain Name
or E-mail Address
.
|
Step 4
|
The
Subject Key
type is preset as an RSA
algorithm. RSA is a public key cryptographic algorithm used for encrypting data.
|
|
Step 6
|
Click
Generate
to create a certificate signing request file. Once the Certificate Signing
Request
is generated, a message describing the result is displayed.
|
|
Step 7
|
Click
Export
to download the file to your computer, then click Save
to save it to a directory on your computer. You have generated the Certificate Request
that you can send to your Certificate Authority for validation.
|
The Simple Certificate Enrollment Protocol (SCEP) is designed to support the secure issuance
of certificates to network devices in a scalable manner. There are two enrollment scenarios for SCEP:
More information about SCEP can be found at:
To use SCEP to issue certificates, follow these steps:
|
Step 3
|
In the
CSR List
pulldown menu, the UI will automatically select a default CSR list. If you have multiple CSR lists configured, you can modify this.
|
|
Step 4
|
In the
CA URL
field, enter the URL for the Certificate authority.
|
|
Step 5
|
If the
Challenge Password
field, enter the password for the CA if one is required.
|
|
Step 6
|
In the
Polling Interval(S)
field, you can modify the default value for duration of time in seconds in between when polling messages are sent.
|
|
Step 7
|
In the
Max Polling Time(S)
field, you can modify the default value for the duration of time the firewall will wait for a response to a polling message before timing out.
|
|
Step 8
|
Click the
Scep
button to submit the SCEP enrollment.
|
The firewall will then contact the CA to request the certificate. The duration of time this will take
depends on whether the CA issues certificates automatically or manually. The Log > View
page will display messages on the status of the SCEP enrollment and issuance of the certificate. After the certificate is issued, it will be displayed in the list of available certificates on the System > Certificates
page, under the Imported certificates and requests
category.
to import either certificate revocation lists (for CA
certificates) or signed certificates (for Pending requests).