Applies To:

Show Versions Show Versions

Manual Chapter: FirePass Controller version 5.4 Handbook: Using Server Certificates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


3

Using Server Certificates


Overview of SSL Server Certificates

A valid SSL server certificate, also known as a security certificate, is important for establishing secure HTTPS connections. An SSL server certificate identifies your server to any connecting client computer. The certificate contains information identifying the organization it was issued to, as well as an expiration date. The SSL (Secure Sockets Layer) protocol uses the certificate to establish a secure connection. Most browsers that support SSL connections have internal lists of trusted Certificate Authorities (CAs), and can automatically accept certificates issued by these organizations.

Note

When a signed certificate expires, you should delete it from the FirePass controller. For information on how to delete a certificate, see Deleting installed certificates .

Server certificates and the FirePass controller

When a FirePass user connects to the FirePass controller, the controller presents the certificate to the client browser. The browser compares the certificate with its internal list of trusted certificates and trusted Certificate Authorities, and, if it finds a match, allows the connection with no interruption. The browser displays a warning if:

  • There is no match of the certificate or CA on the browser
  • The name of the server certificate does not match the actual name of the server (the FirePass controller)
  • The certificate is expired

The FirePass controller includes a preconfigured, default SSL server certificate for firepass.company.xyz. You can use this certificate while configuring and testing a FirePass controller, but the certificate is not unique, and the certificate's server name will not match the name you give to the FirePass controller, so anyone connecting to the FirePass controller sees warning messages from their web browser.

Important

Before you make the FirePass controller available to external users, you should replace the default server certificate with a signed certificate.

Certificate Authority-signed SSL server certificates

Most organizations should purchase and install a server certificate signed by a known, trusted Certificate Authority. A CA-signed certificate provides a high level of trust by verifying that the server is actually what it claims to be. Most web browsers automatically recognize known, public Certificate Authorities, and FirePass controller users can log in without seeing warning or error messages.

To obtain a trusted server certificate, submit a Certificate Signing Request (CSR) to a trusted CA such as Thawte or Verisign. The CA verifies your organization's identity before issuing a signed certificate.

You can generate a CSR from the FirePass controller Administrative Console. For more information, see Generating a Certificate Signing Request .

Self-signed SSL server certificates

An alternative to a CA-signed server certificate is a self-signed certificate. A self-signed server certificate provides a greater level of trust than the default certificate, but is not as secure as a CA-signed certificate.

A self-signed certificate is automatically recognized by client browsers, so users connecting to a FirePass controller with a self-signed certificate may see browser warnings. You can add the certificate to the browser's accepted list to eliminate the warnings. For details on self-signed certificates, see Generating and installing a self-signed certificate .

A CA-signed server certificate provides the highest level of trust, but a self-signed certificate may provide an acceptable level of trust for some production environments. A self-signed certificate has not been validated by a trusted organization, but it is unique (the default FirePass controller server certificate is not).

Managing certificates on the FirePass controller

A pre-installed, default certificate (for firepass.company.xyz) is included on each FirePass controller. This certificate is intended only for testing and initial configuration. It should not be used for any other purpose. Before you make secure connections using the FirePass controller, you must install at least one signed SSL server certificate.

The FirePass controller Administrative Console makes it easy to manage server certificates. Use the Administrative Console to:

  • Display and review information about installed certificates
  • Generate Certificate Signing Requests (CSRs) to submit to trusted Certificate Authorities
  • Install server certificates
  • Generate and install self-signed server certificates
  • Update installed certificates
  • Delete installed certificates

Displaying information on installed certificates

You can view a list of server certificates installed on the FirePass controller, along with basic information about each certificate. The SSL Server Certificate screen displays the following information:

  • Status of the certificate (Valid or Fake. A status of Fake means the certificate is invalid or has expired.)
  • Names of the certificate and encryption key files
  • Common name on the certificate
  • The issuer of the certificate
  • The certificate's expiration date

To view certificate information

  1. Connect to the FirePass controller Administrative Console using a web browser.
  2. Log in as an administrator. (Type the administrator name in the Username box, the administrator password in the Password box, and click Go.)
    The Device Management : Welcome screen displays.
  3. On the navigation pane, expand Configuration, and click Network Configuration.
    The Network Configuration screen displays, with the IP Config tab selected.
  4. Click the Web Services tab.
  5. On the Web Server Configuration screen, click the Configure SSL Certificates link.
    The SSL Server Certificate screen displays.
  6. The SSL Server Certificate screen lists all the server certificates that are installed on the FirePass controller.
Note

If you have not installed any certificates, the SSL Server Certificate screen lists only the default certificate for firepass.company.xyz.

Generating a Certificate Signing Request

The process of getting a CA-signed certificate is simple, especially when you take advantage of the FirePass controller feature for generating a Certificate Signing Request (CSR). When the CSR is generated, save it and submit it to a trusted Certificate Authority. The CA will verify your identity and send a signed digital certificate. Install this certificate on the FirePass controller.

To generate a certificate request

  1. Connect to the FirePass controller Administrative Console using a web browser.
  2. Log in as an administrator. (Type the administrator name in the Username box, the administrator password in the Password box, and click Go.)
    The Device Management : Welcome screen displays.
  3. On the navigation pane, click Security, and then click Certificates.
    The Renew/Replace SSL Server Certificate screen displays.
  4. Click Generate.
    The SSL Server Certificate screen displays the Generate New Certificate Request options.
Note

You can also get to this screen from the Device Management : Configuration : Network Configuration screen, by clicking the Web Services tab, clicking the Configure SSL Certificates link, and clicking the Generate Certificate Request button.
  1. The SSL Server Certificate screen displays a number of boxes you need to fill out in order to generate a Certificate Request:
    1. The Server Name defaults to the fully qualified domain name of the FirePass controller.
    2. In the Country Name box, type a 2-letter country code.
    3. In the State box, type the state or province where your organization is located.
    4. In the City box, type the city where your organization is located.
    5. In the Company box, type your organization name.
    6. In the Organizational Unit, type the name or title of your organizational unit.
    7. In the Contact Email, type your email address. (The CA uses this address for verification purposes.)
    8. In the Encryption Password box, type a password for the Private Key that will be generated. You need this password when you install the signed certificate.
    9. Click the Generate Request button to generate the request.
      The SSL Server Certificate screen displays, with a message saying your Certificate Request has been generated. Review the information for accuracy. ( If you skip or mis-type any required values, an error message displays. Correct the problem and click the Generate Request button again.)
  2. When your Certificate Request has been generated, save it to your local computer. Click the here link to download the Certificate Request to your local hard drive. When prompted, save the CertRequest.zip file to your computer.
  3. The CertRequest.zip file contains three files, README.html, new.key, and newcert.csr.
    The README.html file contains instructions for submitting the Certificate Request to a known Certificate Authority.
Important

The FirePass controller does not save the CSR. You need to save the zip file to a safe location.

Submitting a Certificate Signing Request

When you generate a Certificate Signing Request (CSR, or Certificate Request) from the Administrative Console, the FirePass controller creates a zipped file, CertRequest.zip, that contains three files:

  • README.html has instructions for submitting the Certificate Request to a known Certificate Authority. You can view this file using any browser.
  • new.key contains the private key for the requested certificate. Keep this file in a safe place. You need it when you install your CA-signed certificate.
  • newcert.csr file contains the Certificate Request. This is the file you send to a known Certificate Authority for signing.

Submit your CSR to a trusted Certificate Authority (CA). If asked, specify a certificate type of mod_ssl (Apache). The CA may contact you to verify details about your Certificate Request.

Installing a server certificate

Install a signed server certificate on the FirePass controller before you allow any user to log in. You can install either:

  • A CA-signed certificate.
    If you install a CA-signed certificate, users will not see browser warning messages.
  • A self-signed certificate.
    If you install a self-signed certificate, users see browser warning messages unless you also install the self-signed certificate on the user browsers. For more information on installing a self-signed certificate on user browsers, see Installing a self-signed certificate on client computers .
  • An intermediate certificate.
    If you are using a CA-signed intermediate certificate (also known as a certificate chain), install the intermediate certificate when you install your signed certificate.

You need the encryption key associated with the certificate, as well as the encryption password. If you are generating a CSR using the FirePass controller, the key (new.key) is in the zipped file that you saved.

To install a server certificate

  1. Connect to the FirePass controller Administrative Console using a web browser.
  2. Log in as an administrator. (Type the administrator name in the Username box, the administrator password in the Password box, and click Go.)
    The Device Management : Welcome screen displays.
  3. On the navigation pane, expand Security and click Certificates.
    The Renew/Replace SSL Server Certificate screen displays.
  4. Click Install.
    The SSL Server Certificate screen displays with boxes for the certificate and key.
Note

You can also get to this screen from the Device Management : Configuration : Network Configuration screen, by clicking the Web Services tab, clicking the Configure SSL Certificates link, and clicking the Install Certificate button.
  1. Open the certificate with a text editor and copy the entire text to the system clipboard.
Note

The certificate and the encryption key are unreadable text files.
  1. Paste the certificate text into the box labeled Paste the new certificate in PEM format (for Apache + mod_ssl) here.
  2. Open the encryption key file (new.key) in a text editor, and copy the entire text to your system clipboard.
  3. Paste the encryption key text in the box labeled Paste the corresponding cryptographic key in PEM format here.
  4. In the Enter password here box, type the password you created when you generated the Certificate Request.
  5. If you are using an intermediate certificate, paste that in the box labeled Optionally, put your intermediate certificate chain here (in the PEM format).
  6. To install the certificate on the FirePass controller, click the Go button.

The certificate is installed on the FirePass controller. You now need to configure a Web service to use the certificate. For details on configuring a Web service, see the online help for the Web Services tab of the Device Management : Configuration : Network Configuration screen.

Generating and installing a self-signed certificate

Self-signed certificates provide a limited level of security, but may be appropriate for your environment.

To generate a self-signed certificate

  1. Connect to the FirePass controller Administrative Console using a web browser.
  2. Log in as an administrator. (Type the administrator name in the Username box, the administrator password in the Password box, and click Go.)
    The Device Management : Welcome screen displays.
  3. On the navigation pane, click Security and expand Certificates.
    The Renew/Replace SSL Server Certificate screen displays.
  4. Click Self-Sign.
    The SSL Server Certificate screen displays with the Generate New Self-Signed Certificate options.
Note

You can also get to this screen from the Device Management : Configuration : Network Configuration screen, by clicking the Web Services tab, clicking the Configure SSL Certificates link, and clicking the Self-Signed Certificate button.
  1. The SSL Server Certificate screen displays several boxes you need to fill out in order to generate a Certificate Request:
    1. The Server Name defaults to the fully qualified domain name of the FirePass controller.
    2. In the Country Name box, type a 2-letter country code.
    3. In the State box, type the state or province where your organization is located.
    4. In the City box, type the city where your organization is located.
    5. In the Company box, type your organization name.
    6. In the Organizational Unit, type the name or title of your organizational unit.
    7. In the Contact Email, type your email address. (The CA uses this address for verification purposes.)
    8. From the Expiration list, select a time limit. The default time limit is one month. If you intend to use the self-signed certificate instead of a CA-signed certificate, select a time limit of two years or longer.
    9. In the Encryption Password box, type a password for the Private Key that will be generated. You need this password when you install the signed certificate.
    10. Click the Generate Certificate button to generate the self-signed certificate.
      The SSL Server Certificate screen displays with the values you entered.
  2. Click the here link to download the new certificate and encryption key to your local computer. When prompted, save the cert.zip file to your computer.
  3. The cert.zip file contains 3 files, README.html, newcert.crt, and newcert.key. The README.html file contains brief descriptions of the other two files. Use these files if you need to reinstall the self-signed certificate (for example, if you reset the FirePass controller).

  4. On the SSL Server Certificate screen, click the Save button to install the self-signed certificate on the FirePass controller.

You must configure a web service to use the new, self-signed certificate. For details, see the online help page for the Web Services tab of the Device Management : Configuration : Network Configuration screen.

Installing a self-signed certificate on client computers

Client browsers do not recognize a self-signed certificate unless you install it on the browsers. To eliminate browser warning messages when using a self-signed certificate, install the certificate on each client browser. You can pre-install the certificate on each browser, or have each user install the certificate when the browser displays a warning.

To install a certificate on a client computer

  1. Click the View Certificate button on the browser warning.
    Most browsers display a warning that includes an option to view the certificate.
  2. Follow the prompts to install a certificate on the local browser.

For details on installing a signed certificate on a client browser, see the documentation for the browser.

Updating installed certificates

Use the FirePass controller Administrative Console to update a CA-signed certificate that is going to expire. The issuing CA warns you when a certificate that they signed is about to expire, and you have the option of renewing it. Update the expiring certificate with the new certificate the CA sends. You also need the encryption key that was created when you first generated the Certificate Signing Request.

Note

If you update an existing CA-signed certificate, you avoid needing to reconfigure the web services that are using that certificate. If you install a new certificate, you need to configure the web services to use that certificate.

To update an installed certificate

  1. Connect to the FirePass controller Administrative Console using a web browser.
  2. Log in as an administrator. (Type the administrator name in the Username box, the administrator password in the Password box, and click Go.)
    The Device Management : Welcome screen displays.
  3. On the navigation pane, expand Configuration and click Network Configuration.
    The Network Configuration screen displays, with the IP Config tab selected.
Note

The Network Configuration screen may display with the Finalize tab selected. If it does, this means there are configuration changes that you have not yet finalized. For more information on finalizing configuration changes, see the online help.
  1. Click the Web Services tab.
    The Web Server Configuration screen displays.
  2. Click the Configure SSL Certificates link.
    The SSL Server Certificate screen displays all the server certificates that are installed on the FirePass controller.
  3. To edit an installed certificate, click Edit in the right column.
    The SSL Server Certificate screen displays details of the certificate you selected.
  4. Copy the new CA-signed certificate and paste it into the Paste the new certificate in the PEM format (for Apache + mod_ssl) here box.
  5. Copy the encryption key (from new.key in the CertRequest.zip file you saved when you generated the original Certificate Request) and paste it in the Paste the corresponding cryptographic key in PEM format here box.
  6. In the Enter password here box, type the password you created when you generated the original Certificate Request.
  7. To update the CA-signed certificate, click Go.

Deleting installed certificates

You may need to delete an installed server certificate, if you have been using a self-signed certificate while waiting for a CA-signed certificate to be issued, or if your certificate has expired.

To delete an installed certificate

  1. Connect to the FirePass controller Administrative Console using a web browser.
  2. Log in as an administrator. (Type the administrator name in the Username box, the administrator password in the Password box, and click Go.)
    The Device Management : Welcome screen displays.
  3. On the navigation pane, expand Configuration and click Network Configuration.
    The Network Configuration screen displays, with the IP Config tab selected.
Note

The Network Configuration screen may display with the Finalize tab selected. If it does, this means that you have made configuration changes that you have not yet finalized. For more information on finalizing configuration changes, see the online help.
  1. Click the Web Services tab.
    The Web Server Configuration screen displays.
  2. Click the Configure SSL Certificates link.
    The SSL Server Certificate screen displays.
  3. The SSL Server Certificate screen lists all the server certificates that are installed on the FirePass controller.
Note

If you have not installed any certificates, the SSL Server Certificate screen only lists the default, internal certificate for firepass.company.xyz. You cannot delete the default FirePass certificate.
  1. Select the box to the left of the certificate you want to delete, and click the Delete Selected button. To delete more than one certificate at a time, select all the certificates you want to delete, then click the Delete Selected button.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)