Installing Certificates for an IKEv1 Policy

To see detailed instructions for configuring IPsec VPNs on the Threat Management Services (TMS) zl Module (including an explanation for the figure below), click here.

 

To see detailed instructions for configuring L2TP Layer 2 Tunneling Protocol over IPsec VPNs on the TMS zl Module (including an explanation for the figure below), click here.

 

If you selected DSA Digital Signature Algorithm Signature or RSA Rivest-Shamir-Adleman Signature for the authentication method in an IKEv1 policy, you must install certificates on the TMS zl Module. The module requires:

  • A CA Certificate Authority root certificate for the CA that will sign the module's IPsec certificate

  • A CA root certificate for the CA that will sign the remote endpoint’s IPsec certificate

  • An IPsec certificate for the module

You can install certificates manually or using SCEP.

Install Certificates Manually

Follow these steps to install certificates manually:

  1. Select VPN > Certificates > IPsec Certificates.

  2. Add a private key. You have two options:

  • Generate the private key on the TMS zl Module:

  1. In the Private Keys section, click Generate Private Key.

  • Private Key Identifier

  • Key Algorithm

  • Key Size

  • Import a private key that was generated elsewhere:

  1. Transfer the private key to your management workstation. Make sure that all copies of the private key are stored in secure locations. Otherwise, the certificate could be compromised.

  2. In the Private Keys section, click Import Private Key.

  3. Private Key Identifier

  4. Select Private Key

  1. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window.

 

When you click Apply, you save your changes to the running-config only. If you reboot the module without saving your changes, you will lose those changes. To save your running-config to the startup-config, click Save in the upper-right corner of the Web browser interface.

  1. Delete the private key from your management workstation.

  1. Click Generate Certificate Request.

  2. Certificate Name

  3. Signature Algorithm

  4. Private Key Identifier

  5. Subject Name

  6. Optional: Subject Alternate Names

  1. Click Apply. The certificate request is displayed in the VPN > Certificates > IPsec Certificates window.

  2. Submit the certificate request to your CA. Request that certificate files be returned to you in PEM Privacy Enhanced Mail or DER Distinguished Encoding Rules format. When your CA sends you its CA root certificate, the TMS zl Module’s self certificate, and a CRL Certificate Revocation List, copy the files to your management station.

  1. Select VPN > Certificates > Certificate Authorities.

  1. Click Import Certificate.

  2. Under Select Global Trusted Certificate, type the path and filename for the CA root certificate, or click Browse and navigate to the CA certificate file.

  3. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window.

  1. Click the IPsec Certificate tab.

  1. Click Import Certificate.

  2. Under Select IPsec Certificate, type the path and filename for the self certificate, or click Browse and navigate to the certificate file.

  3. Click Apply. The self certificate is displayed under IPsec Certificates in the VPN > IPsec > IPsec Certificates window.

  1. Click the CRL tab.

  1. Click Import CRL.

  2. For Select CRL, type the path and filename for the CRL, or click Browse and navigate to the CRL file.

  3. Click OK. The CRL is displayed in the VPN > Certificates > CRL window.

 

Install Certificates with SCEP

 

Microsoft Windows Server 2008 does not implement SCEP the same way as earlier Windows servers. Refer to the documentation for the Windows Server 2008 for information on SCEP implementation.

Follow these steps to install certificates automatically using SCEP Simple Certificate Enrollment Protocol :

  1. Select VPN > Certificates > SCEP.

  1. For SCEP Server IP Address/Domain Name, type either the IP address or FQDN Fully Qualified Domain Name of your CA's SCEP server.

  2. For SCEP Server Port, type the port number on which your CA server listens for SCEP messages. The default SCEP port is 80.

  3. For CGI-Path, type the correct path to the program on the CA server that executes SCEP functions. The default path, certsrv/mscep/mscep.dll, is valid on a typical Windows CA; otherwise, your CA should tell you the correct CGI path.

  4. For CA Unique Identifier, type the CA's common name, for example: /CN=<CAcommonname>

  5. Click Apply my changes.

 

When you click Apply My Changes, you save your changes to the running-config only. If you reboot the module without saving your changes, you will lose those changes. To save your running-config to the startup-config, click Save in the upper-right corner of the Web browser interface.

  1. Click the Certificate Authorities tab.

  1. Click Retrieve Certificate through SCEP.

  2. Verify that the CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window.

  1. Click the IPsec Certificates tab.

  1. Click Retrieve Certificate through SCEP. The Retrieve Certificate through SCEP window is displayed.

  • Subject Name

  • Trusted Certificate to Verify Certificate

  • Certificate Type

  • Encryption Algorithm

  • Challenge Password

  • Identifier to Store Private Key

  • Key Size

  1. Click Apply. The private key is displayed in the VPN > Certificates > IPsec Certificates window. After the CA returns the self certificate, this certificate is also displayed.

  1. Click the CRL tab.

  1. Click Retrieve CRL through SCEP. The CRL is displayed in the VPN > Certificates > CRL window.