Certificates

A certificate is a digital ID card. It is issued by a trusted third party known as a Certification Authority (CA). Endpoint Security VPN can use the digital certificates issued by the gateway, which has its own Internal Certificate Authority (ICA). A digital certificate has:

  • User name.

  • A serial number.

  • An expiration date.

  • A copy of the public key of the certificate holder (used to encrypt messages and digital signatures).

  • The digital signature of the certificate-issuing authority, in this instance the ICA. This lets the gateway make sure that the certificate is valid.

Stored in Keychain or Stored as Files

Endpoint Security VPN supports user authentication through PKCS#12 certificates. A PKCS#12

certificate can be accessed directly when stored as a .p12 file or imported to the Keychain store.

The Keychain is used to store and access Smart Cards stored on file. For Smart Cards, you must install the correct token driver from the Smart Card middleware vendor.

Should you allow users import certificates to the Keychain store?

  • Certificates in the Keychain store are easier to manage.

  • If a user has some computers, a temporary computer, or a laptop (that might be stolen), it is better if the certificate is not stored on the computer. Give the user a PKCS#12 certificate on detachable media.

Generating and Deploying Certificates

Generate certificates in SmartConsole:

  • Enroll Certificate (Generate Registration Key). Initiate a certificate that will be pending for the user. The result is a registration key. The user completes the creation of the certificate with the registration key. The result can be a certificate stored as a PKCS#12 file or stored in the Keychain

  • Generate PKCS#12 File. Generate a PKCS#12 certificate and save it to a file. The user authenticates with the PKCS#12 file.

How to create Registration Keys

Create a registration key from SmartConsole to let users import certificates to the Keychain store.

To create a registration key:

  1. In SmartConsole, click the Manage menu > Users and Administrators. The Users and Administrators window opens.

  2. Select one user and click Edit.

    The User Properties window opens.

  3. Open Certificates.

  4. Click Initiate.

    The registration key is created. Give it to the user.

    The registration key has an expiration date. If the user does not complete the task before the expiration date, the registration key is deleted.

How to Generating PKCS#12 Files

Generate a certificate file from SmartConsole.

To generate a certificate file:

  1. In SmartDashboard, click the Manage menu > Users and Administrators. The Users and Administrators window opens.

  2. Select one user and click Edit.

    The User Properties window opens.

  3. Open Certificates.

  4. Click Generate and save.

  5. Allow the user to select and confirm a password.

  6. Save the certificate to a file.

    The certificate file is generated. Give it to the user.

How to Enroll and Renew a Certificate

  1. Click the Client and select VPN Options.

  2. On the Sites tab, select the site from which to enroll a certificate and click Properties. The site Properties window opens.

  3. Select the Settings tab.

  4. Select the setting type, Keychain or P12, and click Enroll. The Keychain or P12 window opens.

  5. For Keychain, select the keychain to which you to enroll the certificate.

    • For P12, select a new password for the certificate and confirm it.

    • Enter the Registration Key that your administrator sent you.

  6. Click Enroll.

    The certificate is enrolled and prepared for use.

  1. Click the Client and select VPN Options.

  2. On the Sites tab, select the site from which you renew a certificate and click Properties. The site Properties window opens.

    The authentication method you select is set and the certificate is renewed.

  3. Select the Settings tab.

  4. Click Renew.

    The Keychain or P12 window opens.

    • For Keychain, select the certificate to renew from the list.

    • For P12, select a P12 file and enter its password.

  5. Click Renew.

    The certificate is renewed and ready for use.

Revoking Certificates

If you need to block a user from connecting, revoke the certificate. The user cannot authenticate to the VPN.

To revoke a certificate, in SmartConsole, in the User Properties window > Certificates, click Revoke.

Helping Users Import Certificates

If you give users a certificate to keep on the computer, you can help them import the certificate to the Keychain store. Make sure that users have the file itself, or access to it, and that they have the password for the certificate.

  1. Click the Client and select VPN Options.

  2. On the Sites tab, select the gateway and click Properties.

  3. Open the Settings tab.

  4. From the Method menu, make sure that Certificate-Keychain is selected.

  5. Click Import.

  6. Browse to the P12 file.

  7. Enter the certificate password and click Import.

  1. Double-click the P12 file.

    The Keychain application opens and a prompt shows for the certificate password.

  2. Enter the certificate password.

Disabling Certificate Authentication

Endpoint Security VPN support user authentication with PKCS#12 certificates. A PKCS#12 certificate can be accessed directly or imported to the Keychain store.

If it is necessary for users to authenticate with certificates stored in the Keychain store:

  1. On the gateway, open the $FWDIR/conf/trac_client_1.ttm file.

  2. Change the :default attribute, located in the enable_capi section, to false.

    Copy 
    enable_capi (
      :gateway (
       :map (
         :false (false)
         :true (true)
         :client_decide (client_decide)
       )
       :default (false)
      )
    )

  3. Save the file and install the policy.

    When clients download the new policy from the gateway, configuration changes are applied.