Kerio Tech Firewall6 SSL Certificate for the Web Interface, Generate or Import Certificate, 128

Chapter 9 Web Interface

SSL Certificate for the Web Interface

The principle of an encrypted WinRoute Web interface is based on the fact that all com- munication between the client and server is encrypted to protect it from wiretapping and misuse of the transmitted data. The SSL protocol uses an asymmetric encryption first to facilitate exchange of the symmetric encryption key which will be later used to encrypt the transmitted data.

The asymmetric cipher uses two keys: a public one for encrypting and a private one for decrypting. As their names suggest, the public (encrypting) key is available to anyone wishing to establish a connection with the server, whereas the private (decrypting) key is available only to the server and must remain secret. The client, however, also needs to be able to identify the server (to find out if it is truly the server and not an impostor). For this purpose there is a certificate, which contains the public server key, the server name, expiration date and other details. To ensure the authenticity of the certificate it must be certified and signed by a third party, the certification authority.

Communication between the client and server then follows this scheme: the client gen- erates a symetric enctryption key for and encrypts it with the public server key (obtained from the server certificate). The server decrypts it with its private key (kept solely by the server). Thus the symmetric key is known only to the server and client. This key is then used for encryption and decipher any other traffic.

Generate or Import Certificate

During WinRoute installation, a testing certificate for the SSL-secured Web interface is created automatically (it is stored in the sslcert subdirectory under the WinRoute’s installation directory, in the server.crt file; the private key for the certificate is saved as server.key). The certificate created is unique. However, it is issued against a non- existing server name and it is not issued by a trustworthy certificate authority. This certificate is intended to ensure functionality of the secured Web interface (usually for testing purposes) until a new certificate is created or a certificate issued by a public certificate authority is imported.

Click on the Change SSL certificate (in the dialog for advanced settings for the Web interface) to view the dialog with the current server certificate. By selecting the Field (certificate entry) option you can view information either about the certificate issuer or about the subject represented by your server.

You can obtain your own certificate, which verifies your server’s identity, by two means.

You can create your own self-signed certificate. Click Generate Certificate in the dialog where current server status is displayed. Insert required data about the server and your company into the dialog entries. Only entries marked with an asterisk (*) are required.

128