7 Browse to the path in which you saved the peer CA certificate and select it. VPN-1 reads the certificate and displays its details. It is possible to verify the details. If required, the SHA-1 and MD5 fingerprints of the CA certificate are displayed. 8 Click OK.
Trusting an Entrust CA
When Entrust CA is trusted a CA configuration file is required. This file, usually named Enrust.ini, includes a number of parameters used when VPN-1 connects to the CA for the enrollment process. Obtain this file from the CA administrator in advance.
If the CA is defined only for validating certificates sent by VPN peers, then the CA certificate must also be obtained in advance.
In order to define the CA, proceed as follows: 1 Open Manage > Servers...
The Servers window is displayed. 2 Choose New > Certificate Authority.
3 Enter the Name of the CA object and select the Entrust PKI CA type. 4 Go to the Entrust PKI tab.
This tab includes specific details about the Entrust CA. 5 Choose the appropriate Entrust CA version.
VPN-1 Pro supports Entrust 3.0, 4.0, 5.0 and 6.0. (For Entrust 6.0 select version 5.0). 6 In the Configuration field click Get..., browse to the Entrust.ini location and
select the file.
7 If the Entrust CA is trusted only for validation of certificates sent to the VPN-1 modules managed by this SmartCenter server, browse to the path in which you saved the peer CA certificate and select it.
VPN-1 reads the certificate and displays its details. It is possible to verify the details. If required, the SHA-1 and MD5 fingerprints of the CA certificate are displayed. 8 Click OK.
Enrollment – Step-By-Step
The enrollment process for gateways is different for each CA type. Following are the steps to follow for obtaining a certificate for a module per CA type.
Key Generation and Storage on the Module
Usually, the SmartCenter server generates the key pair and downloads the keys and the certificate to the module when the policy is installed. Sometimes the security
requirements demand that the private key be created and stored on the module and never leave the module. In this case, SmartCenter server asks the module to create the key pair. The module stores the private key locally and sends the public key to the SmartCenter server. The SmartCenter server then downloads the certificate to the module during policy installation.
To cause the keys to be generated and stored on the module, the administrator must choose Store Keys on the Module in the Certificate Properties window during the certificate generation process.
Local key storage is supported for all CA types except Entrust.
Enrollment with Internal CA
Since every internally managed entity with VPN-1 Pro or VPN-1 Net installed on it is a candidate for creation of VPN tunnels, a certificate is automatically issued by the ICA for all these objects. This happens immediately after the SmartCenter server identifies that an entity fulfills this condition, namely, when the administrator checks one of the VPN-1 Pro or VPN-1 Net boxes in the General Properties tab of a network object.
Enrollment with OPSEC Certified PKI
To create a PKCS#10 Certificate Request proceed as follows: 1 Open the VPN tab of the relevant Network Object. 2 In the Certificate List field click Add...
The Certificate Properties window is displayed. 3 Enter the Certificate Nickname
The nickname is only an identifier and has no bearing on the certificate content. 4 Choose the OPSEC Certified Certificate Authority from which you would like to
get the certificate.
The Certificate Authority object must be defined in advance. Refer to “Trusting an OPSEC Certified CA” on page 48 for more details.
Enrollment – Step-By-Step
5 Choose the appropriate method for Key Pair creation and storage. The Store Keys On Module option is relevant only if hardware storage is installed on the module. See “Storing Private Keys on the Module” on page 47 for more information. 6 Click Generate...
The Generate Certificate Properties window is displayed. 7 Enter the desired DN.
Please note that the final DN in the certificate is a subject for the CA administrator decision.
FIGURE 3-4 An example DN.
8 If for some reason the Subject Alternate Name extension is required to appear in the certificate and contain the DN, check the Define Alternate Name check box. 9 Click OK.
According to your setting about the key store location, the SmartCenter server or the module generate the key pair. The public key and the DN are then used to DER-encode a PKCS#10 Certificate Request.
10 Once the Certificate Request is ready, click View...
The Certificate Request View window appears with the encoding. 11 Copy the whole text in the window and deliver it to the CA.
The CA administrator must now complete the task of issuing the certificate. Different CAs provide different ways of doing this, such as an advanced enrollment form (as opposed to the regular form used by users). The issued certificate may be delivered in various ways, such as email. Once the certificate is available, proceed as follows to store the certificate in VPN-1 Pro.
1 Go to the VPN tab of the network object, select the appropriate certificate object and click Edit...
The Certificate Properties window is displayed.
3 Select the appropriate file and verify the certificate details. 4 Close the object and save.
Enrollment with Entrust CA
In order to get an Entrust certificate proceed as follows:
1 Obtain the Reference Number and Authorization Code from the CA administrator.
These numbers are created by the Entrust CA when willing to make an entity ‘Entrust Enabled’ and presented to the CA administrator who may deliver them to the VPN-1 administrator. They will be used by the CA to authenticate the request and issue the certificate.
2 Open the VPN tab of the relevant Network Object 3 In the Certificate List field click Add...
The Certificate Properties window is displayed. 4 Enter the Certificate Nickname
The nickname is only an identifier and has no bearing on the certificate content. 5 Choose the Entrust Certificate Authority from which you would like to get the
certificate.
6 The Certificate Authority object must be defined in advance. Refer to “Trusting an Entrust CA” on page 49 for more details about definition of the Entrust CA object. 7 Click Generate...
The Generate Keys and Get Entrust Certificate is displayed. 8 Make sure the Generate Mode is set to Initialize.
9 Enter the Reference Number and Authorization Code.
SmartCenter server generates the Key Pair and connects the Entrust CA using the appropriate protocol to obtain the certificate. If this is the first certificate issued to a module managed by this SmartCenter server, the Entrust CA certificate is saved as well. It is recommended to re-open later the Entrust CA object and verify that the CA Certificate was stored by clicking View... in the Entrust PKI tab of the Certificate Authority Properties window.