Optional VPN Support Using Certificate Objects Overview
To authenticate external devices, use a group IKE ID to authenticate multiple RAS users or provide additional authentication for the security devices in your VPN, you must obtain and install a digital certificate on each VPN member. A digital certificate is an electronic means for verifying identity through the word of a trusted third party, known as a certificate authority (CA). The CA is a trusted partner of the VPN member using the digital certificate as well as the member receiving it.
The CA also issues certificates, often with a set time limit. If you do not renew the certificate before the time limit is reached, the CA considers the certificate inactive. A VPN member attempting to use an expired certificate is immediately detected (and rejected) by the CA.
To use certificates in your VPN, you must configure:
Local certificate—Use a local certificate for each security device that is a VPN member.
Certificate authority (CA) object—Use a CA object to obtain a local and CA certificate.
Certificate revocation list (CRL) object—Use a CRL object to ensure that expired certificates are not accepted; a CRL is optional.
The following topics explain in more detail the optional VPN support using certificate objects:
Configuring Local Certificates
A local certificate validates the identity of the security device in a VPN tunnel connection. To get a local certificate for a device, you must prompt the device to generate a certificate request (includes public/private key pair request) using the Generate Certificate Request directive. In response, the device provides certificate request that includes the encrypted public key for the device. Using this encrypted public key, you can contact a independent CA (or use your own internal CA, if available) to obtain a local device certificate file (a .cer file).
You must install this local certificate file on the managed device using NSM before you can use certificates to validate that device in your VPN. Because the local certificate is device specific, you must use a unique local certificate for each device.
You can also use SCEP to configure the device to automatically obtain local certificate (and a CA certificate) from the CA directly. For details on local certificates, see Local Certificate Validation of ScreenOS Devices Overview.
Configuring CA Objects
A CA certificate validates the identity of the CA that issued the local device certificate. You can obtain a CA certificate file (.cer) from the CA that issued the local certification, and then use this file to create a CA object.
You must install this CA certificate on the managed device using NSM before you can use the certificate to validate that device in your VPN. Because the CA certificate is an object, however, you can use the same CA for multiple devices, as long as those devices use local certificates that were issued by that CA.
You can also use SCEP to configure the device to automatically obtain a CA certificate at the same time it receives the local certificate. For details on configuring a certificate authority object, see the Network and Security Manager Administration Guide.
Configuring CRL Objects
A certificate revocation list (CRL) identifies invalid certificates. You can obtain a CRL file (.crl) from the CA that issued the local certification and CA certificate for the device, and then use this file to create a CRL object.
You must install the CRL on the managed device using NSM before you can use a CRL to check for revoked certificates in your VPN. Because the CRL is an object, however, you can use the same CRL for multiple devices, as long as those devices use local and CA certificates that were issued by that CA.
After you have received a CRL list, you can use the CRL object in your VPN. For details on configuring a certificate revocation list object, see the Network and Security Manager Administration Guide.