WatchGuard Technologies SSL VPN manual Obtaining a Root Certificate from a CertificateAuthority

Client Certificates

Installing Root Certificates

Support for most trusted root authorities is already built into the Windows operating system and Inter- net Explorer. Therefore, there is no need to obtain and install root certificates on the client device if you are using these CAs. However, if you decide to use a different CA, you need to obtain and install the root certificates yourself.

Obtaining a Root Certificate from a CertificateAuthority

Root certificates are available from the same Certificate Authorities (CAs) that issue server certificates. Well-known or trusted CAs include Verisign, Baltimore, Entrust, and their respective affiliates. Certificate authorities tend to assume that you already have the appropriate root certificates (most Web browsers have root certificates built-in). However, if you are using certificates from a CA that is not already included on the client computer, you need to specifically request the root certificate.

Several types of root certificates are available. For example, VeriSign has approximately 12 root certifi- cates that they use for different purposes, so it is important to ensure that you obtain the correct root certificate from the CA.

Installing Root Certificates on a Client Device

Root certificates are installed using the Microsoft Management Console (MMC) in Windows. When installing a root certificate to the MMC, use the Certificate Import wizard. The certificate is installed in the Trusted Root Certification Authorities store for the local computer.

For information about root certificate availability and installation on platforms other than 32-bit Win- dows, refer to product documentation appropriate for the operating system you are using.

Selecting an Encryption Type for Client Connections

All communications between the Secure Access Client and the Firebox SSL VPN Gateway are encrypted with SSL. The SSL protocol allows two computers to negotiate encryption ciphers to accomplish the symmetric encryption of data over a secure connection.

You can select the specific cipher that the Firebox SSL VPN Gateway uses for the symmetric data encryp- tion on an SSL connection. Selecting a strong cipher reduces the possibility of malicious attack. The security policies of your organization may also require you to select a specific symmetric encryption cipher for secure connections.

You can select RC4, 3DES, or AES encryption ciphers for SSL connections. The default setting is RC4 128- bit. The MD5 or SHA hash algorithm is negotiated between the client and the server.

The Firebox SSL VPN Gateway uses RSA for public key encryption in a secure connection. The encryption ciphers and hash algorithms that you can select for symmetric encryption are listed below:

•RC4 128-bit, MD5/SHA

•3DES, SHA

•AES 128/256-bit, SHA

To select an encryption type for client connections

1Click the Global Cluster Policies tab.

2Under Select security options, in Select encryption type for client connections, select the bulk encryption cipher you want to use for secure connections.