Certificates
Here, you create X.509 certificates for the firewall, to be used for authentication in various applications, like when configuration over HTTPS is performed.
On this page you also upload CA certificates to the firewall. For the applications (HTTPS, VPN, RADIUS authentication of road warriors, and SIP over TLS), you select one or more CA certificates to trust.
Private Certificates
Here the private X.509 certificates of the firewall are created. You can use the same certificate for all authentication purposes, or create different certificates for the various functions in the firewall.
Name
Enter a name for this certificate. The name is only used internally in the firewall.
Certificate
Create, import or download a private certificate. See more information about creating certificates below. Under Import, you upload firewall certificates signed by an external CA.
Under Show/Download, you download the private certificate, and you can also download the key pair.
Information
Information about this certificate, such as the signing CA and expiration date.
Delete row
If you select this box, the row is deleted when you click on Add new rows or Save.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Create certificate or certificate request
Press Create new to create a new X.509 certificate. A new page with a form appears, requesting information about the firewall. Fill in the form to apply for a certificate or create a self-signed certificate. Fields marked * are mandatory.
Expire in
The expiration time defines how many days the certificate will last. Default time is 365 days, one year.
Country code
Here, you enter the country code - not the top domain - for the country where the firewall is located. The country code for the USA is US.
State/province
The state or province where the firewall is located.
Locality/town
The city or town where the firewall is located.
Organisation
The name of the organization/company owning the firewall.
Organisational unit
The department using the firewall.
Common Name
Here, you enter the host name or IP address of the firewall.
Email address
Enter the email address of the firewall administrator.
Serial number
If you generate more than one certificate with the same information, and you want to give them separate names and treat them as different certificates, you need to give them different serial number. Enter a serial number for this certificate here.
Challenge password
Enter a password. This will be used only when revoking a signed certificate.
Create a self-signed X.509 certificate
By entering the requested information above and pressing this button, you can create a certificate that isn't signed by any certificate authority (CA). Self-signed certificates are for free, while certificates signed by an official CA normally are not. Certificates signed by CAs are automatically accepted by web browsers, while you have to accept self-signed certificates manually when using them in your web browser.
Create an X.509 certificate request
When pressing this button, you make a certificate request which can be sent to a certificate authority for signing. The request is downloaded under View/Download on the certificate page. The signed certificate is uploaded under Import.
CA Certificates
Here, you upload CA certificates and CRLs (Certificate Revocation Lists).
The CAs are used to authenticate peers using IPsec VPN or TLS. Upload one or more CA certificates here, and then select which CAs to trust for each function in the firewall.
CRLs are used to let the firewall know that some of the certificates signed by a certain CA should not be accepted. This could be useful when laptops with certificates are stolen. See instructions for your CA on how to make a CRL.
Name
Enter a name for this CA certificate. The name is only used internally in the firewall.
CA Certificate
You upload the CA certificate to the firewall, inspect the current certificate, or download it to use somewhere else, by pressing the Change/View button.
CA CRL
A CRL (Certificate Revocation List) is used to tell the firewall that some certificates issued by this CAs are not valid, even though they may not have expired yet. Upload a CRL for this CA by pressing the Change/View button.
Information
Information about this certificate, such as the signing CA and expiration date.
Delete row
If you select this box, the row is deleted when you click on Add new rows or Save.
Add new rows
Enter the number of new rows you want to add to the table, and then click on Add new rows.
Save
Saves all Certificates configuration to the preliminary configuration.
Undo
Clears and resets all fields in new rows and resets changes in old rows.