Certificates

Create or import public key certificates in the X.509 standard format. Such certificates are digitally signed statements usually issued by a Certificate Authority (CA) binding together a public key with a particular Distinguished Name (DN) in X.500 notation. Using Let’s Encrypt™ to create certificates is also supported.

You can choose among the following options:

• Generate a new certificate using the self-signed CA of the UTM.
• Upload an existing certificate.
• Create a new certificate with Let’s Encrypt.

You can download certificates either in PKCS#12 or PEM format. The PEM file only contains the certificate itself, while the PKCS#12 file also contains the private key as well as the CA certificate with which it was signed.

Note – Certificates have a validity period. 30 days before a certificate expires, a flag will be added in WebAdmin and you will receive an email notification.

Generate a Certificate

All certificates you generate contain an RSARivest, Shamir, & Adleman (public key encryption technology) key. They are signed by the self-signed certificate authority (CA) VPN Signing CA that was created automatically using the information you provided during the initial login to the WebAdmin interface.

To generate a certificate, proceed as follows:

1. On the Certificates tab, click New Certificate.

   The Add Certificate dialog box opens.

2. Make the following settings:

   Name: Enter a descriptive name for this certificate.

   Method: To create a certificate, select Generate.

   Key size: The length of the RSA key. The longer the key, the more secure it is. You can choose among key sizes of 1024, 2048, or 4096 bits. Select the maximum key size compatible with the application programs and hardware devices you intend to use. Unless longer keys cause critical performance issues for your specific purposes, do not reduce the key size in order to optimize performance.

   VPN ID type: You have to define a unique identifier for the certificate. The following types of identifiers are available:

   • Email address
   • Hostname
   • IPInternet Protocol address
   • Distinguished name

   VPN ID: Depending on the selected VPNVirtual Private NetworkIDIdentity type, enter the appropriate value into this text box. For example, if you selected IP address from the VPN ID type list, enter an IP address into this text box. Note that this text box will be hidden when you select Distinguished Name from the VPN ID type list.

   Use the drop-down lists and text boxes from Country to Email to enter identifying information about the certificate holder. This information is used to build the Distinguished Name, that is, the name of the entity whose public key the certificate identifies. This name contains a lot of personal information in the X.500 standard and is supposed to be unique across the Internet. If the certificate is for a road warrior connection, enter the name of the user in the Common name box. If the certificate is for a host, enter a hostname.

   Comment (optional): Add a description or other information.

3. Click Save.

   The certificate appears on the Certificates list.

Upload a Certificate

To upload a certificate, proceed as follows:

1. On the Certificates tab, click New Certificate.

   The Add Certificate dialog box opens.

2. Make the following settings:

   Name: Enter a descriptive name for this certificate.

   Method: Select Upload.

   File type: Select the file type of the certificate. You can upload certificates being one of the following types:

   • PKCS#12 (Cert+CA): PKCS refers to a group of Public Key Cryptography Standards (PKCS) devised and published by RSA laboratories. The PKCS#12 file format is commonly used to store private keys with accompanying public key certificates protected with a container passphrase. You must know this container passphrase to upload files in this format.
   • PEM (Cert only): A Base64 encoded Privacy Enhanced Mail (PEM) file format with no password required.

   File: Click the Folder icon next to the File box and select the certificate you want to upload.

   Comment (optional): Add a description or other information.

3. Click Save.

   The certificate appears on the Certificates list.

Create a Let’s Encrypt Certificate

Create a Let’s Encrypt certificate to be able to present web browsers an officially signed certificate for the domains associated with the certificate. Let’s Encrypt will create a signed certificate as well as an intermediate CA thus allowing for a chain of trust.

1. On the Certificates tab, click New Certificate.

   The Add Certificate dialog box opens.

2. Make the following settings:

   Name: Enter a descriptive name for this certificate.

   Method: Select Let’s Encrypt.

   Interface: Select an interface through which the Let’s Encrypt servers can contact the domains configured below.

   Domains: Add one or more domains for which the certificate should be valid.

   Comment (optional): Add a description or other information.

3. Click Save.

   The certificate appears on the Certificates list.

Initially, newly created Let's Encrypt certificates are signed by the self-signed certificate authority VPN Signing CA that was created automatically using the information you provided during the initial login to the WebAdmin interface. This makes the certificate immediately usable right after their creation.

In the background, the certificate domains are validated by Let's Encrypt.

Note – This requires HTTP traffic for the certificate domains to reach the UTM.

As soon as Let's Encrypt issued the certificate, the certificate object is updated automatically. This process is repeated whenever the certificate is due for renewal.