StoneGate SSL VPN Technical Note 2068. Adding Bundled Certificates



Similar documents
StoneGate SSL VPN Technical Note Setting Up BankID

Remote Firewall Deployment

Using Microsoft Active Directory Server and IAS Authentication

StoneGate SSL VPN Technical Note Setting Up WPA Authentication

StoneGate Firewall/VPN How-To Evaluating StoneGate FW/VPN in VMware Workstation

StoneGate SSL VPN Technical Note Setting Up Sygate On-Demand

StoneGate SSL VPN Technical Note Setting Up SSO with Citrix Presentation Server

VPNC Interoperability Profile

Release Notes for Version

StoneGate SSL VPN Technical Note Setting up ActiveSync

RELEASE NOTES. StoneGate Firewall/VPN v for IBM zseries

StoneGate IPsec VPN Client Release Notes for Version 4.3.0

Certificate technology on Pulse Secure Access

Certificate technology on Junos Pulse Secure Access

SolarWinds Technical Reference

Symantec Managed PKI. Integration Guide for ActiveSync

VPN CLIENT USER S GUIDE

ECA IIS Instructions. January 2005

webmethods Certificate Toolkit

CA Nimsoft Service Desk

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Installation Guide. SafeNet Authentication Service

ncipher Modules Integration Guide for Axway Validation Authority Server 4.11 (Responder)

VPN CLIENT ADMINISTRATOR S GUIDE

Configuring TLS Security for Cloudera Manager

Intrusion Detection and Analysis for Active Response - Version 1.2. Installation Guide

BEA Weblogic Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Synchronization Tool. Administrator Guide

Application Note. Gemalto s SA Server and OpenLDAP

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

X.509 Certificate Generator User Manual

Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

version 1.0 Installation Guide

Using Microsoft s CA Server with SonicWALL Devices

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Sample Configuration: Cisco UCS, LDAP and Active Directory

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

4.0. Offline Folder Wizard. User Guide

SMC INSTALLATION GUIDE

The IVE also supports using the following additional features with CA certificates:

Configuring Multiple ACE Management Servers VMware ACE 2.0

Radius Integration Guide Version 9

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Symantec Backup Exec 2010 R2. Quick Installation Guide

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

HP Device Manager 4.7

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Strong Authentication for Juniper Networks SSL VPN

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

GB-OS. Certificate Management. Tel: Fax Web:

How To Install A Citrix Netscaler On A Pc Or Mac Or Ipad (For A Web Browser) With A Certificate Certificate (For An Ipad) On A Netscaler (For Windows) With An Ipro (For

TIBCO Enterprise Administrator Release Notes

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

CA Nimsoft Unified Management Portal

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

AG MacOS Standalone Array Client Administration Guide

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Integrated Citrix Servers

Generating an Apple Push Notification Service Certificate

Dell Recovery Manager for Active Directory 8.6. Quick Start Guide

Setting Up SSL on IIS6 for MEGA Advisor

Dialogic 4000 Media Gateway Series as a Survivable Branch Appliance for Microsoft Lync Server 2010

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

Strong Authentication for Juniper Networks

Installation Guide Supplement

RedBlack CyBake Online Customer Service Desk

LoadMaster SSL Certificate Quickstart Guide

Integrated SSL Scanning

Disaster Recovery. Websense Web Security Web Security Gateway. v7.6

StreamServe Persuasion SP4 Encryption and Authentication

Strong Authentication for Microsoft TS Web / RD Web

How To Connect Checkpoint To Gemalto Sa Server With A Checkpoint Vpn And Connect To A Check Point Wifi With A Cell Phone Or Ipvvv On A Pc Or Ipa (For A Pbv) On A Micro

Stonesoft Firewall/VPN 5.4 Windows Server 2008 R2

Symantec Enterprise Vault

Configuration (X87) SAP Mobile Secure: SAP Afaria 7 SP5 September 2014 English. Building Block Configuration Guide

Administration Guide Certificate Server May 2013

Application Notes for Microsoft Office Communicator Clients with Avaya Communication Manager Phones - Issue 1.1

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

Omniquad Exchange Archiving

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

Strong Authentication for Microsoft SharePoint

StreamServe Persuasion SP5 Encryption and Authentication

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

etoken Enterprise For: SSL SSL with etoken

Generating and Installing SSL Certificates on the Cisco ISA500

Citrix XenServer Workload Balancing Quick Start. Published February Edition

RSA Two Factor Authentication

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

GRAVITYZONE HERE. Deployment Guide VLE Environment

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Transcription:

StoneGate SSL VPN Technical Note 2068 Adding Bundled Certificates

Table of Contents Introduction................................... page 3 Overview..................................... page 3 Splitting the Certificate........................... page 3 Adding the CA Certificate......................... page 4 Adding the Server Certificate...................... page 5 Feedback..................................... page 5 Table of Contents 2

Introduction This technical note covers all aspects of managing bundled certificates. Prerequisites This technical note assumes a thorough understanding of StoneGate administration and how to manage certificates. A basic understanding of OpenSSL is also required. Use the further reading listed below to gain the required knowledge. Further Reading More information on StoneGate administration can be found in the StoneGate SSL VPN Administrator s Guide, the Online Help and the Technical Note repository provided with the product. Another source of information is the Stonesoft Support site, which can be found at http://www.stonesoft.com/support/. For more information on Open SSL, visit http://www.openssl.org. Overview When acquiring a certificate from a Certificate Authority (CA), for example VeriSign or Thawte, the certificate may sometime come in a chain of bundled intermediate certificates. The StoneGate SSL VPN Administrator does not currently handle bundles directly so each included chain certificate must be extracted and managed separately. Splitting the Certificate Follow the instructions below to extract, split, and add the certificate. You will be using tools from OpenSSL to perform some of these steps. Your StoneGate appliance already has OpenSSL installed, ready to be used. It is also possible to download OpenSSL from http://www.openssl.org.!to split the certificate 1. Store the downloaded certificate and private key locally on your hard drive. The certificate must be in the PEM format. In this example the PEM bundle is called MyCertBundle.pem. Note PEM is the default format for OpenSSL. It stores data in Base64 encoded DER format, surrounded by ASCII headers, suitable for text mode transfers between systems. DER on the other hand can contain all of private keys, public keys and certificates. It stores data according to the ASN1 DER format. It is header-less, whereas PEM is a text header wrapped DER. This is the default format for most browsers. 2. Use the OpenSSL command-line tool to split the chain. This command takes the downloaded MyCert- Bundle.pem as its input parameter and outputs the result to the file named MySplitCerts.pem. openssl pkcs7 -in MyCertBundle.pem -print_certs -out MySplitCerts.pem 3. Open the file MySplitCerts.pem in a text editor and save each certificate in a separate file. Remember to name the separate files appropriately so it is easy to remember which file contains which part. Cut above the begin line and below the end line. -----BEGIN CERTIFICATE----- (certificate contents) -----END CERTIFICATE------- Introduction 3

A certificate key conversion tool is provided with StoneGate SSL VPN to enable you to convert certificate keys to the PKCS#8 format used in StoneGate SSL VPN. The tool is called key2pkcs8.sh. This step is optional. If your certificate keys are in PKCS#8 format, this procedure can be omitted. Follow the instructions below to convert the certificate key to PKCS8 format. Note The certificate key to convert must be in PEM file format.!to convert key to PKCS8 format (optional) 1. Connect to the Linux command line. You can connect to the command line through the administration port using an SSH client. Log in as user root. Password is set through the basic Web console. Consult the Appliance Installation Guide for your appliance if you need information on how to access the command line or on how to change the password. 2. Copy the existing key to the conversion tool directory. 3. Name the file extension.key. 4. Start the conversion by running the command./key2pkcs8.sh. 5. Follow the provided instructions. Note To skip encrypting the certificate key, press Enter when prompted to enter password. Adding the CA Certificate Follow the instruction below to add an intermediate certificate as a CA certificate in the StoneGate SSL VPN Administrator. Repeat the procedure for each intermediate certificate. Note It is not necessary to add the root certificate.!adding CA Certificate 1. Select Manage System in the main menu and click Certificates in the left-hand menu. 2. Click the Add Certificate Authority link. 3. Enter display name. 4. Click the Browse button to locate the certificate. When selected, the subject attribute will provide the distinguished name of the CA. 5. Select applicable revocation check alternative. Available options are: CRL: To revoke an already issued client certificate, the client certificate validation routine checks against the Certificate Revocation List (CRL). Selected by default. No certificate revocation checking should be performed 6. Click Next. 7. If you selected No certificate revocation checking should be performed, click Finish Wizard. 8. If you selected CRL, click the Add Control Distribution Point link to add a Control Distribution Point (CDP) used to verify certificates issued by this CA. 9. Enter the following settings for the CPD: Address: Enter address to the CDP in URL format (either an LDAP address, RFC2255-formatted address, or an HTTP address). Address is mandatory. Example The example below is an LDAP address. URL=ldap:///CN=win2k%20root%20CA,CN=test-win2k-ad,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=win2k-ad,DC=thesecurecompany, DC=com?certificateRevocationList?base?objectclass=cRLDistributionPoint Adding the CA Certificate 4

The example below is an HTTP address. http://www.example.com:80/ldap/crl.cer Fetch Time Adjustment: Enter adjusted time in seconds (-86400-86400), when revocation information is retrieved, compared to the set time for revocation information fetching. This setting is useful when there is latency when the CA issues a new CRL, which can occur if there are replicated directories involved. Update Time: When selected, a custom update time is enabled and the defined update time stored in the system is used. When not selected, the attribute Next Update Time from the CRL is used. Define Interval for CRL Retrieving: Specify interval in seconds (0-31536000) for the CRL retrieving. Mandatory when Update Time is selected. Set to 3600 by default. Retry Interval: Specify interval in seconds (0-31536000) for the CRL retrieving if it cannot be obtained. Set to 300 by default. 10.Click Next to add the CDP. 11.Select applicable CRL Invalid Action alternative, to specify how users authenticated with a user certificate should be handled if the required and requested CRL cannot be obtained. Available options are: Authentication is denied: When selected, authentication is denied for all users authenticated by user certificate. Authentication is allowed, previous retrieved CRL is used: When selected, certificate revocation control is performed using the previous retrieved CRL. The system will log that an invalid CRL is used. 12.Click Finish Wizard. The certificate is added as a Certificate Authority. Adding the Server Certificate Follow the instructions below to add the server certificate and private key in the StoneGate SSL VPN Administrator and select the required intermediate certificates. Note The certificate must be in PEM format, and the private key must be a PKCS#8 key in either DER or PEM format.!to add the server certificate 1. Select Manage System in the main menu and click Certificates in the left-hand menu. 2. Click the Add Server Certificate link. 3. Enter display name. 4. Click the Browse button to locate the certificate. 5. Click the Browse button to locate the private key for the certificate. 6. If the certificate key is encrypted, enter applicable Password. 7. Select the CA certificates used to complete the entire certificate chain. 8. Click Save. The server certificate is added. Feedback Stonesoft is always interested in feedback from our users. For comments regarding Stonesoft s products, contact feedback@stonesoft.com. For comments regarding this technical note, contact documentation@stonesoft.com. Adding the Server Certificate 5

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. SSL VPN Powered by PortWise Copyright and Disclaimer Copyright 2000 2007 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. SG_SVTN_2068_20070625 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information