Managing Trusted CAs
In the VPN > Certificates Trusted CAs page you can add CAs used by remote sites' certificates to enable a VPN or WebUI certificate. A certificate shown by the remote site must be signed by a CA that is trusted by the appliance. Trusted CAs include both intermediate and root CAs.
This page also shows the built in Internal CA that by default creates the certificates for this appliance. It can also be used to sign remote sites' certificates. You can also export the internal CA to add it to a remote site's trusted CA list.
When Cloud Services is turned on and the appliance is configured by a Cloud Services Provider, the CA of the Cloud Services Provider is downloaded automatically to the appliance. The Cloud Services Provider CA is used by community members configured by Cloud Services. Note that if you turn Cloud Services off, the Cloud Services Provider CA is removed.
Recommended configurations
When you use certificate based site to site VPN with only one remote site, we recommend you export each site's Internal CA and add it to the other site's Trusted CA list.
When you use certificate based site to site VPN with multiple remote sites, in a mesh configuration, we recommend for all sites to use one CA to sign their internally used certificates on appliances that support creating signing requests. You must also add the same CA to all sites' Trusted CAs list. That CA can be an external CA service like Verisign (for a fee) or simply use this appliance's Internal CA. See below how to use it to sign external requests.
To add a trusted CA:
-
Click Add.
-
Click Browse to upload a CA's identifier file (a .CRT file).
-
A CA name is suggested, but you can enter another name if preferred.
Click Preview CA details to see further information from the .CRT file.
-
Click Apply. The CA is added to the Trusted CA list.
To edit a trusted CA's configuration:
-
Select the CA from the list.
-
Click Edit.
-
Select the necessary options regarding CRL (Certificate Revocation List):
-
Retrieve CRL from HTTP Server(s) - HTTP can be used to access the CA for CRL retrieval. When cleared, this appliance does not attempt to validate the remote site's certificate's CRL.
-
Cache CRL on the Security Gateway - Select how often is a new updated CRL is retrieved.
-
Fetch new CRL when expires - Upon expiration of the CRL.
-
Fetch new CRL every X hours - Regardless of CRL expiration.
-
-
-
Click Details to see full CA details.
-
Click Apply.
To delete a trusted CA:
-
Select the trusted CA from the list and click Delete.
-
Click OK in the confirmation message.
To export the Internal CA (or other previously imported CAs):
-
Select the Internal CA in the table.
-
Click Export.
The Internal CA's identifier file is downloaded through your browser and is available to be imported to the remote site's trusted CA list.
-
You can also export other trusted CAs you've added to the list if necessary by selecting them and clicking Export.
To sign a remote site's certificate request by the Internal CA:
-
Click Sign a Request.
-
Click Browse to upload the signing request file as created in the remote site.
In third party appliances, make sure to look in its Administration Guide to see where signing requests are created.
Note - The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.
-
Click Download.
The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.