ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual
Managing Users, Authentication, and Certificates 7-17
v1.0, April 2010
4. Click Apply to save your settings.
Managing Digital Certificates
The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet
Key Exchange (IKE) authentication phase to authenticate connecting IPsec VPN gateways or
clients, or to be authenticated by remote entities. The same digital certificates are extended for
secure Web access connections over HTTPS (that is, SSL connections).
Digital certificates either can be self-signed or can be issued by certification authorities (CAs) such
as an internal Windows server or an external organizations such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate must be used
for one of the purposes defined by the extension. For example, if the digital certificate contains the
extKeyUsage extension that is defined for SNMPV2, the same certificate cannot be used for
secure Web management. The extKeyUsage would govern the certificate acceptance criteria on the
VPN firewall when the same digital certificate is being used for secure Web management.
On the VPN firewall, the uploaded digital certificate is checked for validity and purpose. The
digital certificate is accepted when it passes the validity test and the purpose matches its use. The
check for the purpose must correspond to its use for IPsec VPN, SSL VPN, or both. If the defined
purpose is for IPsec VPN and SSL VPN, the digital certificate is uploaded to both the IPsec VPN
certificate repository and the SSL VPN certificate repository. However, if the defined purpose is
for IPsec VPN only, the certificate is uploaded only to the IPsec VPN certificate repository.
The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and
to be authenticated by remote entities. A digital certificate that authenticates a server, for example,
is a file that contains the following elements:
• A public encryption key to be used by clients for encrypting messages to the server.
• Information identifying the operator of the server.
• A digital signature confirming the identity of the operator of the server. Ideally, the signature is
from a trusted third party whose identity can be verified.
Idle Timeout The period after which an idle user is automatically logged out of the Web
Management Interface. De default idle timeout period is 10 minutes.
Table 7-6. Edit User Settings (continued)
Setting Description (or Subfield and Description)
To Next Page
Loading...
