Managing Trusted CAs
R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide|357
Managing Trusted CAs
In the VPN > Certificates Trusted CAs page you can add CAs used by remote sites'
certificates to enable a VPN or WebUI certificate. A certificate shown by the remote site must
be signed by a CA that is trusted by the appliance. Trusted CAs include both intermediate and
root CAs.
This page also shows the built in Internal CA that by default creates the certificates for this
appliance. It can also be used to sign remote sites' certificates. You can also export the
internal CA to add it to a remote site's trusted CA list.
When Cloud Services is turned on and the appliance is configured by a Cloud Services
Provider, the CA of the Cloud Services Provider is downloaded automatically to the appliance.
The Cloud Services Provider CA is used by community members configured by Cloud
Services.
Note - If you turn Cloud Services off, the Cloud Services Provider CA is removed.
Recommended configurations
When you use certificate based site to site VPN with only one remote site, we recommend you
export each site's Internal CA and add it to the other site's Trusted CA list.
When you use certificate based site to site VPN with multiple remote sites, in a mesh
configuration, we recommend for all sites to use one CA to sign their internally used
certificates on appliances that support creating signing requests. You must also add the same
CA to all sites' Trusted CAs list. That CA can be an external CA service like Verisign (for a fee)
or simply use this appliance's Internal CA. See below how to use it to sign external requests.
To add a trusted CA:
1. Click Add.
2. Click Browse to upload a CA's identifier file (a .CRT file).
3. A CA name is suggested, but you can enter another name if preferred.
Click Preview CA details to see further information from the .CRT file.
4. Click Apply The CA is added to the Trusted CA list.
To Next Page
Loading...
