Page 111 / 212
Scroll up to view Page 106 - 110
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-23
202-10098-01, April 2005
b.
Click the
Generate Request
button to display the screen illustrated in
Figure 6-11
below.
.
Figure 6-11: Generate Self Certificate Request menu
c.
Fill in the fields on the Add Self Certificate screen.
•
Required
–
Name. Enter a name to identify this certificate.
–
Subject. This is the name that other organizations will see as the holder (owner) of
this certificate. This should be your registered business name or official company
name. Generally, all certificates should have the same value in the Subject field.
–
Hash Algorithm. Select the desired option: MD5 or SHA1.
–
Signature Algorithm. Select the desired option: DSS or RSA.
–
Signature Key Length. Select the desired option: 512, 1024, or 2048.
•
Optional
–
IP Address. If you use “IP type” in the IKE policy, you should input the IP
Address here. Otherwise, you should leave this blank.
FVS114
Page 112 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
6-24
Advanced Virtual Private Networking
202-10098-01, April 2005
–
Domain Name. If you have a domain name, you can enter it here. Otherwise, you
should leave this blank.
–
E-mail Address. You can enter you e-mail address here.
d.
Click the
Next
button to continue. The FVS114 generates a Self Certificate Request as
shown below.
Figure 6-12: Self Certificate Request data
4.
Transmit the Self Certificate Request data to the Trusted Root CA.
a.
Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.
b.
Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,
you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign
and a CA such as a Windows 2000 certificate server administrator will differ. Follow the
procedures of your CA.
Highlight, copy and
paste this data into
a text file.
Page 113 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-25
202-10098-01, April 2005
c.
When you have finished gathering the Self Certificate Request data, click the
Done
button. You will return to the Certificates screen where your pending “FVS114” Self
Certificate Request will be listed, as illustrated in
Figure 6-13
below.
Figure 6-13: Self Certificate Requests table
5.
Receive the certificate back from the Trusted Root CA and save it as a text file.
Note:
In the case of a Windows 2000 internal CA, the CA administrator might simply email it
to back to you. Follow the procedures of your CA. Save the certificate you get back from the
CA as a text file called
final.txt
.
6.
Upload the new certificate.
a.
From the main menu VPN section, click the
Certificates
link.
b.
Click the radio button of the Self Certificate Request you want to upload.
c.
Click the
Upload Certificate
button.
d.
Browse to the location of the file you saved in Step 5 above that contains the certificate
from the CA.
e.
Click the
Upload
button.
FVS114
Page 114 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
6-26
Advanced Virtual Private Networking
202-10098-01, April 2005
f.
You will now see the “FVS114” entry in the Active Self Certificates table and the pending
“FVS114” Self Certificate Request is gone, as illustrated below.
Figure 6-14: Self Certificates table
7.
Associate the new certificate and the Trusted Root CA certificate on the FVS114.
a.
Create a new IKE policy called
Scenario_2
with all the same properties of
Scenario_1
(see
“Scenario 1 IKE Policy” on page 6-19
) except now use the RSA Signature instead of
the shared key.
Figure 6-15: IKE policy using RSA Signature
b.
Create a new VPN Auto Policy called
scenario2a
with all the same properties as
scenario1a
except that it uses the IKE policy called Scenario_2.
FVS114
Page 115 / 212
Reference Manual for the ProSafe VPN Firewall FVS114
Advanced Virtual Private Networking
6-27
202-10098-01, April 2005
Now, the traffic from devices within the range of the LAN subnet addresses on FVS114 A and
Gateway B will be authenticated using the certificates rather than via a shared key.
8.
Set up Certificate Revocation List (CRL) checking.
a.
Get a copy of the CRL from the CA and save it as a text file.
Note:
The procedure for obtaining a CRL differs from a CA like Verisign and a CA such
as a Windows 2000 certificate server, which an organization operates for providing
certificates for its members. Follow the procedures of your CA.
b.
From the main menu VPN section, click the
CRL
link.
c.
Click
Add
to add a CRL.
d.
Click
Browse
to locate the CRL file.
e.
Click
Upload
.
Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by
IKE policies which use this CA.
Note:
You must update the CRLs regularly in order to maintain the validity of the
certificate-based VPN policies.
19216811.live