Chapter 9 Authentication

own CA server or use a third-party organization for creating certificates. The same CA certificate is imported onto all X family devices that must authenticate with each other.

Certificate Requests—provides a form and encoding method for the X family administrator to generate a signed Local certificate from the CA server. The administrator has to export the Certificate Request, and then provide it to the CA server. The CA server signs the request to generate a Local Certificate and returns the signed certificate to the administrator who then imports it back into the X family device. A successful import of the Local Certificate removes the corresponding Certificate Request as the request has now been satisfied.

A Distinguished Name uniquely identifies a certificate. The Distinguished Name is defined when creating the Certificate Request is used by the Local Certificate. The X family uses PKCS#10 format for Certificate Requests.

Local Certificates—digitally signed certificates that are used to authenticate IPSec on the X family. Local Certificates are signed by a CA using a certificate request. The local certificate is a personal certificate, installed on the X family devicee or remote device. Each device has a unique local certificate. Other devices that have imported the CA certificate that was used to sign a local certificate can authenticate this device.

Certificate Revocation List (CRL)— a list of certificates which have been revoked before their expiry dates by a Certificate Authority, along with the reasons for revocation and a proposed date for the next release. The Certificate Authority would revoke a certificate, for example, if there was a suspected compromise of the private part of public/private key pair that invalidates the public part, or if there was a change of user details.

Configuring X.509 Certificates

To use X.509 certificates as a secure method of authentication for VPN access to the network, you must configure both local and CA certificates before you configure other VPN services.

STEP 1 Import the CA certificate used to validate local certificates. For details, see “CA Certificates” on page 257.

STEP 2

STEP 3

Create a Certificate Request and export it as a file that can be sent to the CA server. For details, see “Certificate Requests” on page 260.

The CA server converts the request into a signed local certificate.

The local certificate is a personal certificate, installed on the X family device or remote device. Each device has a unique local certificate. The local certificate refers to the CA certificate for validation.

Note If you already have a local certificate with its own private key, you can import this certificate to the device from the Local Certificates page. It is not necessary to complete the Certificate Request process.

Import the signed local certificate retrieved from the CA server. For details, see “Import a signed Local Certificate” on page 263.

STEP 4 To maintain the integrity of the CA certificates on the X family device, you can also associate a CRL with each certificate and configure parameters to automatically update the CRL. For details, see “Certificate Revocation List (CRL) for a CA Certificate” on page 258.

For more detailed information on X.509 Certificates, see the Concepts Guide.

256 X Family LSM User’s Guide V 2.5.1