All IPsec Certificates Fields

Install IPsec certificates on VPN > Certificates > IPsec Certificates.

Import Certificate

Click to import an IPsec certificate that you have already saved. Click Browse, navigate to an IPsec certificate in PEM Privacy Enhanced Mail or DER Distinguished Encoding Rules format, and click Apply.

Retrieve Certificate through SCEP Simple Certificate Enrollment Protocol

Click to retrieve a certificate from the CA Certificate Authority server that you configured on VPN > Certificates > SCEP.

Subject Name

Typically, you type the Threat Management Services (TMS) zl Module's FQDN Fully Qualified Domain Name. The remote tunnel endpoint will use this subject name to authenticate the module; therefore, the subject name must match a remote ID that is configured on the remote endpoint. Use the format /CN=<common name>

Trusted Certificate to Verify Certificate

Select a CA root certificate that can verify the certificate. This CA root certificate must already be uploaded on VPN > Certificates > Certificate Authorities and it must have been generated by the SCEP server that you specified on VPN > Certificates > SCEP.

Certificate Type

Select RSA Rivest-Shamir-Adleman -MD5 Message Digest algorithm 5or RSA-SHA Secure Hash Algorithm -1. This setting determines the algorithm for the private key. You should have selected RSA Signature for the Authentication Method in the IKE policy.

Encryption Algorithm

Select DES Data Encryption Standardor 3DES.

Challenge Password

Type the password that your CA has given you. The challenge password is typically used to revoke a certificate. If your CA does not require a password, leave this box empty.

Identifier to Store Private Key

Specify a string between 1 and 31 alphanumeric characters. The string must be unique to this private key.

Key Size

Select 512, 1024, or 2048 to specify the length of the key in bits. Click Apply to retrieve the certificate.

Import Private Key

Click to import a private key that was generated elsewhere. First you must transfer the private key to your management workstation. Make sure that all copies of the private key are stored in secure locations; otherwise, the certificate could be compromised.

Private Key Identifier

Type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key.

Select Private Key

Type the path and filename for the private key or click Browse, navigate to the private key, and then click Apply.

Generate Private Key

Click to generate a private key.

Private Key Identifier

Type a descriptive string between 1 and 31 alphanumeric characters. The string must be unique to this key.

Key Algorithm

Select RSA or DSA Digital Signature Algorithm. In the IKEv1 policy, match DSA Signature or RSA Signature from Authentication Method (Step 2 of 3).

Key Size

Select 512, 1024, or 2048. This determines the length of the key in bits.

Generate Certificate Request

Click to generate an IPsec certificate request.

Certificate Name

Type a descriptive alphanumeric string. The name must be unique for this request.

Signature Algorithm

Select the algorithm that will be used to sign the certificate.

  • SHA-1 with RSA

  • MD5 with RSA

  • SHA-1 with DSA

You must select the same algorithm that is used by the private key: select MD5 with RSA or SHA-1 with RSA for an RSA key and SHA-1 with DSA for a DSA key.

Private Key Identifier

Select a private key from the list.

Subject Name

Type the subject name of the TMS zl Module. Use the format /CN=<common name>

Subject Alternate Names

Optional: Specify other IDs with which the module identifies itself:

  • Type an IP address in one or both IP Address boxes. Typically, the IP address is the module’s public IP address, but you can specify any valid IP address.

  • Type an FQDN in one or both Domain Name boxes.

  • Type an email address in one or both Email ID boxes. The email address does not have to be valid.

The subject name or one of the subject alternative names must match a remote ID that is configured on the remote tunnel endpoint. The name must match in both type and value. For example, if you have typed TMS.procurve.com for Subject Name, an IKE policy on the remote tunnel endpoint must allow the remote ID of type FQDN and value TMS.procurve.com.

Likewise, if you type 10.10.10.10 for IP Address, an IKE policy on the remote tunnel endpoint must allow the remote ID of type IP Address and value 10.10.10.10.