Public Key Infrastructure

In This Section: Enrolling with a Certificate Authority Manual Enrollment with OPSEC Certified PKI Trusting an Externally Managed CA Trusting an OPSEC Certified CA Certificate Revocation (All CA Types)

Enrolling with a Certificate Authority

A certificate is automatically issued by the ICA for all internally managed entities that are VPN capable. That is, after the administrator has selected IPsec VPN in the Network Security tab of the General Properties page for network objects.

The process for obtaining a certificate from an OPSEC PKI or External Check Point CA is identical.

Manual Enrollment with OPSEC Certified PKI

To create a PKCS#10 Certificate Request:

1. Create the CA object.
2. Open the IPsec VPN tab of the relevant Network Object.
3. In the Certificate List field click Add.

   The Certificate Properties window is displayed.

4. Enter the Certificate Nickname

   The nickname is only an identifier and has no bearing on the content of the certificate.

5. From the CA to enroll from drop-down box, select the direct OPSEC CA/External Check Point CA that will issue the certificate.

   Note - The list displays only those subordinate CA's that lead directly to a trusted CA and the trusted CAs themselves. If the CA that issues the certificate is a subordinate CA that does not lead directly to a trusted CA, the subordinate CA will not appear in the list.

6. Choose the appropriate method for Key Pair creation and storage.
7. Click Generate.

   The Generate Certificate Properties window is displayed.

8. Enter the appropriate DN.

   The final DN that appears in the certificate is decided by the CA administrator.

   If a Subject Alternate Name extension is required in the certificate, check the Define Alternate Name check box.

   Adding the object IP as Alternate name extension can be configured as a default setting by selecting in Menu > Global Properties > Advanced > Configure > Certificates and PKI properties, the options:

   add_ip_alt_name_for_opsec_certs

   add_ip_alt_name_for_ICA_certs

   The configuration in this step is also applicable for Internal CAs.

9. Click OK.

   The public key and the DN are then used to DER-encode a PKCS#10 Certificate Request.

10. After the Certificate Request is ready, click View.

    The Certificate Request View window appears with the encoding.

11. Copy the whole text in the window and deliver it to the CA.

    The CA administrator must now complete the task of issuing the certificate. Different CAs provide different ways of doing this, such as an advanced enrollment form (as opposed to the regular form for users). The issued certificate may be delivered in various ways, for example email. After the certificate has arrived, it needs to be stored:

    1. In Object Explorer (Ctrl+E), go to the Servers category and select the CA object.
    2. Open the OPEC PKI tab, click Get and browse to the location in which the certificate was saved.
    3. Select the appropriate file and verify the certificate details.
    4. Close object and save.

Trusting an Externally Managed CA

An externally managed CA is the ICA of another Security Management Server. The CA certificate has to be supplied and saved to disk in advance. To establish trust:

1. In Object Explorer (Ctrl+E), click New > Server > More > Trusted CA.

   The Certificate Authority Properties window opens.

2. Enter a Name for the CA object
3. Go to the OPSEC PKI tab and click Get...
4. Browse to where you saved the peer CA certificate and select it.

   The certificate details are shown. Verify the certificate's details. Display and validate the SHA-1 and MD5 fingerprints of the CA certificate.

5. Click OK.

Trusting an OPSEC Certified CA

The CA certificate has to be supplied and saved to the disk in advance.

Note - In case of SCEP automatic enrollment, you can skip this stage and fetch the CA certificate automatically after configuring the SCEP parameters.

The CA's Certificate must be retrieved either by downloading it using the CA options in the Certificate Authority object, or by obtaining the CA's certificate from the peer administrator in advance.

Then define the CA object according to the following steps:

1. In Object Explorer (Ctrl+E), click New > Server > More > Trusted CA or Subordinate CA.

   The Certificate Authority Properties window opens.

2. Enter a Name for the CA object.
3. On the OPSEC PKI tab:
   • For automatic enrollment, select automatically enroll certificate.
   • From the Connect to CA with protocol, select the protocol used to connect with the certificate authority, either SCEP, CMPV1 or CMPV2.

   Note - For entrust 5.0 and later, use CMPV1

4. Click Properties.
   • If you chose SCEP as the protocol, in the Properties for SCEP protocol window, enter the CA identifier (such as example.com) and the Certification Authority/Registration Authority URL.
   • If you chose cmpV1 as the protocol, in the Properties for CMP protocol - V1 window, enter the appropriate IP address and port number. (The default port is 829).
   • If you chose cmpV2 as the protocol, in the Properties for CMP protocol -V2 window, decide whether to use direct TCP or HTTP as the transport layer.

     Note - If Automatic enrollment is not selected, then enrollment will have to be performed manually.

5. Choose a method for retrieving CRLs from this CA.

   If the CA publishes CRLs on HTTP server choose HTTP Server(s). Certificates issued by the CA must contain the CRL location in an URL in the CRL Distribution Point extension.

   If the CA publishes CRL on LDAP server, choose LDAP Server(s). In this case, you must define an LDAP Account Unit as well. See the Security Management Server Administration Guide for more details about defining an LDAP object.

   Make sure that CRL retrieval is checked in the General tab of the LDAP Account Unit Properties window.

   Certificates issued by the CA must contain the LDAP DN on which the CRL resides in the CRL distribution point extension.

6. Click Get.
7. If SCEP is configured, it will try to connect to the CA and retrieve the certificate. If not, browse to where you saved the peer CA certificate and select it.

   VPN reads the certificate and displays its details. Verify the certificate's details. Display and validate the SHA-1 and MD5 fingerprints of the CA certificate.

8. Click OK.
9. Install the Access Control Policy on the Security Gateway.

Certificate Revocation (All CA Types)

To remove the certificate:

1. Open the IPsec VPN tab of the relevant Security Gateway.
2. In the Repository of Certificates Available to the Gateway, select the appropriate certificate and click Remove.