Certificates

Certificates contain identification information, a public key, a validity period, a digital signature and who signed it.
Certificates can be exchanged unprotected between the peers which then can validate them, and also use the contained public key to encrypt information that only the certificate owner can decrypt with its corresponding secret private key.
Certificates is a secure way of ensuring that connection with a trusted peer is established.
Certificates are NOT removed by a reset to factory defaults.


Stored certificates

Trusted certificates
These certificates are used to validate certificates received from a peer.
Use the Import Certificate page to load certificates into this list.
If the peer certificate is self signed a copy of it is imported to this device, if it is signed elsewhere the issuers certificate is imported to this device.


Self signed certificates
These are generated and signed by this device, and is generally exported to file and given to the remote peer.
For each self signed certificate there is a (hidden) private key only known by this device.










Certificates - Import/Export

Import trusted certificates
Load a certificate from a file on your PC into the Trusted certificates list.
Remote peers give you their public certificates that you shall load into your VPN peer using this page.
Certificates that follow the X.509 standard and are in PEM or DER format are accepted.


Export self-signed certificate
Save a certificate from the Self signed certificates list onto a file on your PC.
When using certificates as identification, remote peers need to receive your public certificate before they can accept VPN traffic from you.
Select the certificate you want to export, and a file format that is accepted by the remote peer, and click Go to save the certificate to a file.
The X.509 PEM file format is accepted by most VPN applications.










Create Self-signed Certificate
Self-signed Certificates are generated and signed by this device, and is generally exported to the remote VPN peer.
For each self signed certificate there is a (hidden) private key only known by this device.
Subject name - (mandatory) unique, descriptive name of the person or purpose the certificate is for.
Organisation - (optional) organisation the certificate is for. (For example your company.)
DNS name - (optional) DNS domain the certificate is for. (For example your dynDNS domain.)
E-mail - (optional) e-mail address of contact person for this certificate. (For example your e-mail address.)
IP Address - (optional) IP address this certificate is for. (For example your global IP address, if it is a static one.)

Crypto
Key length - The size (bits) of the public key, larger size results in higher security but decreased performance, and much longer time to create the certificate.
Signature algorithm - Algorithms used to digitally sign the certificate. RSA/SHA1 is the most commonly used.
NOTE: DSA/SHA1 must however be used if "DSS signatures" has been selected as IKE Authentication Mode on the IPSec peer settings page.
WARNING: DSA/SHA1 certificates may take up to 8 minutes to create!

Valid to - After this date the certificate is no longer trusted, can no longer be used.


Create certificate - NOTE: Creation of certificate takes about 15 seconds to complete.
Press button only once, then wait 15 seconds for next page to appear.









Create Windows 2000/XP client certificate
This form creates a client certificate, bundles it with the Certificate authority certificate, and saves the resulting PKCS12-bundle to file. PKCS12 Certificate Bundles are generally imported to VPN clients, such as the Windows clients, that cannot generate its own self-signed certificates.
The PKCS12 file contains both the client's private key, the client's certificate, and the server's certificate. The server's own self-signed certificate is used as certificate authority.
The created client certificate, and the Certificate authority certificate, are automatically added to the Trusted certificates list, too.
NOTE: The certificate created here is not for your server, but for the clients connecting to it. Thus the below fields should be filled in with values describing the remote client - not this unit.

Subject name - (mandatory) unique, descriptive name of the person or purpose the certificate is for.
Organisation - (optional) organisation the certificate is for. (For example your company.)
DNS name - (optional) DNS domain the certificate is for. (For example your dynDNS domain.)
E-mail - (optional) e-mail address of contact person for this certificate. (For example your e-mail address.)
IP Address - (optional) IP address this certificate is for. (For example your global IP address, if it is a static one.)

Crypto
Key length - The size (bits) of the public key, larger size results in higher security but decreased performance, and much longer time to create the certificate.
Signature algorithm - Algorithms used to digitally sign the certificate. RSA/SHA1 is the most commonly used.
NOTE: DSA/SHA1 must however be used if "DSS signatures" has been selected as IKE Authentication Mode on the IPSec peer settings page.
WARNING: DSA/SHA1 certificates may take up to 8 minutes to create!

Valid to - After this date the certificate is no longer trusted, can no longer be used.
NOTE: This date is not allowed to be later than the "Valid to"-date of the Certificate authority's certificate.

Certificate authority - The self-signed certificate that is used to authorize the created certificate with. This certificate is also included into the PKCS12-file and added to the Trusted certificates list.
Password - Password to protect the PKCS12-file with. User needs to enter same password when importing to remote VPN peer. Can be left empty to disable password lock.


Create certificate - NOTE: Creation of certificate takes about 15 seconds to complete.
Press button only once, then wait 15 seconds for next page to appear.