To Request a CertificateThis page displays a table that contains information about each available certificate you have loaded. You can view local or CA certificates by using the Show drop-down list. In this table you find the following information:
Issuer: Identifies the CA who emitted the certificate.
Friendly Name: Indicates the name of the certificate assigned by the CA.
Type: Indicates the type of certificate—Local, CA or Certificate Revocation List (CRL).
Serial #: Indicates the serial number of the certificate.
Expired: Indicates the date when the certificate expires.
Status: Indicates the status of the certificate, for example, active, expired, or pending (in the case of a request).
Configure: Click Detail to obtain details on the certificate, or Remove to delete the certificate. Click Submit Request to use the automatic method to request a certificate.
Note: If you remove a certificate, you must regenerate the key.
To use a digital certificate to authenticate your identity when establishing a secure VPN connection, you must first do the following:
Obtain a personal certificate (also known as a local certificate) from a CA, and load the certificate in the security device.
Obtain a CA certificate for the CA that issued the personal certificate (basically verifying the identity of the CA verifying you), and load the CA certificate in the security device. You can perform this task manually, or automatically using Simple Certificate Enrollment Protocol (SCEP).
If the certificate does not contain a certificate distribution point (CDP) extension, and you cannot automatically retrieve the CRL via LDAP or HTTP, you can retrieve a CRL manually and load that in the security device.
To Request a CertificateClick New. For more information on how to request a certificate, see Certificate Request.
The CA returns the following three files to you for loading into the security device:
A CA certificate, which contains the CA’s public key
A local certificate that identifies your local machine (your public key)
A CRL, which lists any certificates revoked by the CA
When you receive the certificates from the CA via e-mail, copy them to a text file, and save them to your workstation (so that you can load them on the security device later).
Note: You can also save the certificate files to a TFTP server and later load them using the ScreenOS Command Line Interface (CLI).
To Load a CertificateSelect Cert.
Click Browse, and then navigate to the location where you saved the certificate files.
Select auth.cer to load the CA certificate or local.cer to load the local certificate, and then click Open.
The directory path and file name for auth.cer or local.cer appear in the Browse field of the Certificates page.
Click Load.
The certificate file loads. You can now view the new certificates in the Certificate List.
Note: You must load both the local certificate and the CA certificate so you have to go through this loading procedure twice.
To Load a CRLSelect CRL.
Click Browse, and then navigate to the location where you saved the CRL file.
Select distrust.crl, and then click Open.
The directory path and file name for distrust.crl appear in the Browse field of the Certificates page.
Click Load.
The CRL file loads. You can now view the new CRL in the Certificate List.
To Remove a Certificate
or CRLIn the Configure column, click Remove.
In addition to the certificate list, which provides an overview of the certificates for the security device, you can get a detailed description of each certificate.
To view certificate details, click Detail in the Configure column. The Certification Detail page appears. For more information, see Certificate Details.
In Phase 1 negotiations, participants check the Certificate Revocation List (CRL) to see if certificates received during an IKE exchange are still valid. If a CRL did not accompany a CA certificate and is not loaded in the security device database, the device tries to retrieve the CRL through the LDAP or HTTP CRL location defined within the certificate itself. If there is no URL address defined in the certificate, the security device uses the URL of the server that you define.
Note: With ScreenOS 2.5 and later, you can disable the checking of a CRL's digital signature when you load the CRL. However, disabling CRL certificate checking compromises the security of your NetScreen device.
To set Default Certificate Validation Settings, click Default Cert Validation Settings at the top of the screen.
The CA server you use can be owned and operated by an independent CA or by your own organization, in which case you become your own CA. If you use an independent CA, you must contact them for the addresses of their CA and CRL servers (for obtaining certificates and certificate revocation lists), and for the information they require when submitting personal certificate requests. When you are your own CA, you determine this information yourself.
To
Set CA Server SettingsView CA certificates by selecting CA from the Show drop-down list.
In the Issuer column, select Server Settings for the appropriate certificate.