Applies To:

Show Versions Show Versions

Manual Chapter: FirePass® Controller version 5.5 Administrator Guide: Using Server Certificates
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


4

Using Server Certificates


Understanding SSL server certificates

The SSL (Secure Sockets Layer) protocol uses the certificate to establish a secure connection. A valid SSL server certificate, also known as a security certificate, is necessary for establishing secure HTTPS connections. An SSL server certificate identifies your server to any connecting client browser. The certificate contains information identifying the server, the organization it was issued to, as well as an expiration date. Most browsers that support SSL connections have internal lists of Certificate Authorities (CAs), and automatically accept certificates issued by these organizations. If there is an error, some browsers display security warnings; other browsers, notably those found on wireless devices such as PDAs or smart phones, might refuse a connection.

Note

When a signed certificate expires and you do not plan to update it, you should delete it from the FirePass controller. For information on how to delete a certificate, see Deleting installed certificates .

Using server certificates on the FirePass controller

When a user connects to the FirePass controller, the FirePass controller presents a server certificate to the client browser. The browser validates the certificate based on its internal list of trusted certificates from CAs, and, if it finds a match, allows the connection. The browser displays a warning if:

  • There is no corresponding CA certificate to validate against.
  • The name of the server certificate does not match the name of the server (the FirePass controller) in the URL.
  • The certificate is expired.

The FirePass controller includes a preconfigured, default SSL server certificate for firepass.company.xyz. You can use this certificate while configuring and testing a FirePass controller, but the certificate is not unique, and the certificate's server name will not match the name you give to the FirePass controller, so anyone connecting to the FirePass controller sees warning messages from their web browser.

Important

Before you make the FirePass controller available to external users, you should replace the default server certificate with a permanent certificate that is appropriate for your environment.

Using Certificate Authority-signed SSL server certificates

Most organizations should purchase and install a server certificate signed by a known, trusted CA. A CA-signed certificate provides a high level of trust by verifying that the server is actually what it claims to be. Most web browsers automatically recognize server certificates issues by known, trusted CAs, and FirePass controller users can log on without seeing warning or error messages.

To obtain a trusted server certificate, submit a Certificate Signing Request (CSR) to a trusted CA such as Thawte or Verisign. The CA verifies your organization's identity before issuing a signed certificate.

You can generate a CSR from the FirePass controller Administrative Console. For more information, see Generating a Certificate Signing Request or self-signed certificate .

Using self-signed SSL server certificates

An alternative to a CA-signed server certificate is a self-signed certificate. A self-signed server certificate is a digital certificate signed by its owner. The self-signed certificate that the FirePass controller generates provides a greater level of trust than the default certificate, but it is not as secure as a CA-signed certificate.

Note

All production-level FirePass controllers should have a server certificate signed by a known, trusted CA.

A self-signed certificate is automatically recognized by client browsers, so users connecting to a FirePass controller that has a self-signed certificate installed may see warnings posted by the browser. The user can add the certificate to the browser's accepted list to eliminate the warnings. For details on self-signed certificates, see Generating a Certificate Signing Request or self-signed certificate .

A CA-signed server certificate provides the highest level of trust, but a self-signed certificate may provide an acceptable level of trust for some production environments. A self-signed certificate has not been validated by a trusted organization, but it is unique (the default FirePass controller server certificate is not).

Managing certificates on the FirePass controller

A pre-installed, default server certificate (for firepass.company.xyz) is included on each FirePass controller. This certificate is intended only for testing and initial configuration. It should not be used for any other purpose. Before you make secure connections using the FirePass controller, you should install at least one signed SSL server certificate.

When you want to manage server certificates, you can use options on the Device Management : Security : Certificates screen.

  • Display and review information about installed certificates
  • Generate Certificate Signing Requests (CSRs) to submit to trusted Certificate Authorities
  • Install server certificates issued by known, trusted CAs
  • Generate and install self-signed server certificates
  • Update installed certificates
  • Delete installed certificates
  • Configure certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP)

Displaying information on installed certificates

You can determine what server certificates the FirePass controller has installed, and view basic information about each certificate. The SSL Server Certificate screen displays the following information:

  • Status of the certificate (Valid or Fake. A status of Fake means the certificate is invalid or has expired.)
  • Names of the certificate and encryption key files
  • Common name on the certificate
  • The issuer of the certificate
  • The certificate's expiration date

To access the server certificates information

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen opens.
  2. Click the Web Services tab.
    The Web Server Configuration screen opens.
  3. Click the Configure SSL Certificates link.
    The SSL Server Certificate screen opens.
  4. The SSL Server Certificate screen lists all the server certificates that you have installed on FirePass controller. If you have not installed any certificates, the SSL Server Certificate screen lists only the default certificate for firepass.company.xyz.

Generating a Certificate Signing Request or self-signed certificate

To install a server certificate, you first send a Certificate Signing Request (CSR) to a trusted CA or create a self-signed certificate on the FirePass controller. The FirePass controller provides functionality that automates the process of getting a CA-signed certificate. When the CSR is generated, you can save it, and submit it to a trusted CA. The CA verifies the identity of the FirePass controller and sends you a signed digital certificate.

The self-signed certificate does not need to be sent to a CA. You can do one or both of the following actions.

To generate a certificate request or a self-signed certificate

  1. In the navigation pane, click Device Management, expand Security, and click Certificates.
    The Certificates screen opens.
  2. In the Renew/Replace SSL Server Certificate section, click Generate to generate a CSR, or click Self-Sign to generate a self-signed certificate.
    The SSL Server Certificate screen opens, containing the Generate New Certificate Request or Generate New Self-Signed Certificate options, depending on what you clicked.
  3. In the Server Name box type the fully qualified domain name (FQDN) of the FirePass controller.
    The following characters are not accepted in any certificate request field: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&
  4. Note: Make sure the name you specify matches the name to be used to access the FirePass controller on the web service using this certificate.
  5. In the Country Name box, type the two-letter country code, US for the United States of America, JP for Japan, and so on.
  6. In the State box, type the state or province in which your organization is located.
  7. In the City box, type the city in which your organization is located.
  8. In the Company box, type your organization name.
  9. In the Organizational Unit box, type the name or title of your organizational unit.
  10. In the Contact Email box, type your email address.
    The CA uses this address for verification purposes, and for notification at certificate-renewal time. If this is your first certificate request, the CA may require additional information to verify your identity and the validity of the data.
  11. If you are generating a self-signed certificate, select an interval from the Expiration list.
    The default time limit is 1 month. If you plan to use the self-signed certificate instead of a CA-signed certificate, select a time limit of two years or longer.
  12. If you are generating a CSR, the CA specifies the time interval during which the signed certificate is valid, based on the time interval purchased.

  13. In the Encryption Password and Confirm Password boxes, type the password for the FirePass controller to use to encrypt the generated private key. A password must be at least four characters long.
  14. Note: Make a note of the password you specify; you will need this password when you install the signed certificate.
  15. Click the Generate Request button to generate a CSR, or click the Generate Certificate button to generate a self-signed certificate.
    The SSL Server Certificate screen opens, with a message saying your CSR or self-signed certificate has been generated.
  16. Note: If you skipped or mis-typed any required value, the screen displays an error message when you click the generate button. Correct the problem and click the appropriate generate button again.
  17. Review the information for accuracy.
  18. Click the here link to download the CSR or self-signed certificate to your local hard drive.
    To avoid certificate warnings, users can add this self-signed certificate to their browser's list of acceptable certificates.
  19. When prompted, download the CertRequest.zip or Cert.zip file to your computer.
    The .zip file contains three files, which differ depending on what you generated.
Important

The FirePass controller does not save the CSR. You need to click the here link to download the .zip file to a safe location.

Submitting the CSR

For CSRs, the CertRequest.zip file contains the following files:

  • README.html
    Contains instructions for submitting the CSR to a known CA. You can view this file using any browser.
  • newcert.csr
    Contains the content for the CSR.
  • new.key
    Contains the private key that corresponds to the certificate (encrypted with the password you specified). Keep this file in a safe place. You need it when you install your CA-signed certificate.

Submit your CSR to a known, trusted CA. Typically, certificate vendors provide a web form in which you can paste the contents of the CSR file. Alternatively, you can submit your CSR as an email attachment. If the vendor requests a certificate type, specify mod_ssl (Apache). As part of the verification process, the CA might contact you to verify details you submitted in the CSR.

Understanding the files generated for the self-signed certificate

For self-signed certificates, the cert.zip file contains the following files:

  • README.html
    Describes the contents of the newcert.crt and newcert.key files.
  • newcert.crt
    Contains your newly generated self-signed SSL server certificate.
  • newcert.key
    Contains the private key that corresponds to the certificate (encrypted with the password you specified).

Self-signed certificates are automatically available for use on the FirePass controller, once the certificate had been generated and saved. Self-signed certificates do not require installation.

Installing a server certificate

Install a signed server certificate on the FirePass controller before you allow any user to log on. You can install any of the following types of certificates.

  • A CA-signed certificate
    If you install a CA-signed certificate, users should not see warning messages from their browsers.
  • A self-signed certificate
    If you install a self-signed certificate, users might see warning messages from their browsers unless you also install the self-signed certificate in the browser's certificate store on the user computers. Self-signed certificates provide a limited level of security, but may be appropriate for a pre-production environment, for example. For information on installing a self-signed certificate on user browsers, see Installing a self-signed certificate on client computers .
  • An intermediate certificate
    If you are using a CA-signed intermediate certificate (also known as a chaining certificate), install the intermediate certificate when you install your signed certificate.

You need the encryption key associated with the certificate, as well as the encryption password. If you are generating a CSR using the FirePass controller, the key (new.key) is in the zipped file that you saved.

To install a server certificate

  1. In the navigation pane, click Device Management, expand Security, and click Certificates.
    The Certificates screen opens.
  2. Click Install.
    The SSL Server Certificate screen opens.
  3. Open the certificate file using a text editor, and copy the entire content of the file to the system clipboard.
    If you are installing a self-signed certificate, this is the newcert.crt file.
  4. Paste the certificate text into the box labeled Paste the new certificate in PEM format (for Apache + mod_ssl) here.
  5. Open the encryption key file (newcert.key) in a text editor, and copy its entire contents to your system clipboard.
  6. Paste the encryption key text in the box labeled Paste the corresponding cryptographic key in PEM format here.
  7. In the Enter password here box, type the password you used when you generated the CSR or self-signed certificate.
  8. If you are using an intermediate certificate, paste that in the box labeled Optionally, put your intermediate certificate chain here (in the PEM format).
  9. To complete the installation process, click the Go button.
Note

If the FirePass controller is configured with FIPS 140-encryption hardware, the certificates and private keys are automatically stored in the FIPS hardware. You do not need to perform any additional steps when installing certificates on FirePass controllers equipped with FIPS hardware.

The certificate is installed on the FirePass controller. You must now configure a Web service to use the certificate. For details on configuring a web service, see the online help for the Web Services tab of the Device Management : Configuration : Network Configuration screen.

Associating an SSL server certificate with a web service

After you have installed the CA-signed or self-signed certificate, you associate it with a web service.

To associate an SSL server certificate with a web service

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen opens.
  2. Click the Web Services tab.
    The Web Server Configuration screen opens.
  3. In the Web Server Configuration table, click the Configure link for a service that has SSL enabled.
    The web services that are SSL-enabled contain the text SSL in the Use SSL column of the table.
  4. From the Certificate list, select your newly installed certificate and key.
  5. Note: You can view details about each certificate on the SSL Server Certificate screen. To access the screen, from the Web Services screen, click the Configure SSL Certificates link.
  6. Click Update.
  7. When you are finished, click the Finalize tab at the top of the page and follow the instructions to put the changes into effect.

Installing a self-signed certificate on client computers

Client browsers do not recognize a self-signed certificate unless you install it in the browser's certificate store.

For example, when a user uses Internet Explorer to connect to a FirePass controller that is using a self-signed certificate, the browser presents a security alert that states that the certificate was issued by a company you have not chosen to trust. To eliminate browser warning messages when using a self-signed certificate, install the certificate on each client browser.

You can pre-install the certificate on each browser, or you can have each user install the certificate when the browser displays a warning.

To install a self-signed certificate in the Internet Explorer browser store

  1. Connect to the FirePass controller using the URL associated with the certificate.
    A warning should appear.
  2. Click the View Certificate button on the browser warning.
    Most browsers display a warning that includes an option to view the certificate.
  3. Follow the prompts to install a certificate on the local browser.

For details on installing a signed certificate on other browsers, see the browser's documentation.

Updating installed server certificates

It is important to keep your server certificate valid by renewing it as necessary, usually every year. You can use the FirePass controller Administrative Console to update a CA-signed certificate that is going to expire. The issuing CA warns you when a certificate that they signed is about to expire, and you have the option of renewing it.

You can check the expiration date of the server certificate on the Device SSL Certificates screen. For steps that show you how to access the SSL Certificates screen, see the following procedure.

When you update the expiring certificate with the new certificate that the CA sends, you will also need the encryption key that was created when you first generated the CSR.

Note

If you update an existing CA-signed certificate, you do not need to reconfigure the web services that are using that certificate. If you install a new certificate, you must configure the web services to use that certificate.

To update an installed certificate

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen opens.
  2. Click the Web Services tab.
    The Web Server Configuration screen opens.
  3. Click the Configure SSL Certificates link.
    The SSL Server Certificate screen opens.
  4. Click the Edit link in the right column of the certificate you want to update.
    The SSL Server Certificate screen opens, displaying details of the certificate you selected.
  5. Copy the new CA-signed certificate, and paste it into the Paste the new certificate in the PEM format (for Apache + mod_ssl) here box.
  6. Copy the encryption key (from newcert.key in the CertRequest.zip file you saved when you generated the original CSR) and paste it in the Paste the corresponding cryptographic key in PEM format here box.
  7. In the Enter password here box, type the password you created when you generated the original CSR.
  8. To update the CA-signed certificate, click the Go button.

Deleting installed certificates

You may need to delete an installed server certificate, for example, if you have been using a self-signed certificate while waiting for a CA-signed certificate to be issued, for example.

To delete an installed certificate

  1. In the navigation pane, click Device Management, expand Configuration, and click Network Configuration.
    The IP Configuration screen opens.
  2. Click the Web Services tab.
    The Web Server Configuration screen opens.
  3. Click the Configure SSL Certificates link.
    The SSL Server Certificate screen opens.
  4. Note: If you have not installed any certificates, the SSL Server Certificate screen only lists the default, internal certificate for firepass.company.xyz. You cannot delete the default FirePass certificate.
  5. Check the box to the left of one or more certificates, and click the Delete Selected button.
  6. When you are finished, click the Finalize tab at the top of the screen, and follow the instructions to put the changes into effect.

Installing and configuring client root certificates

You can use one of the following methods to install a client root certificate and issue client certificates to users.

  • If your company already has a PKI (Public Key Infrastructure) in place for deploying client certificates to users, you can leverage it for use with the FirePass controller. To do so, complete these tasks:
    • Install on the FirePass controller the client root certificate only (no private key) from your PKI server, along with a certificate revocation list (CRL).
    • Enable the client certificate two-factor authentication, passwordless authentication, policy checking, or dynamic group mapping functions.
    • The FirePass controller then uses your existing PKI for deploying client certificates to users.

  • If your company does not have a PKI in place, then you can use the FirePass controller's built-in client certificate PKI capabilities. The FirePass controller can generate a self-signed client root CA certificate, generate and issue client certificates for users, and manage an internal CRL. After generating a self-signed client root CA certificate, you can generate and email or download PKCS#12 certificate packages for individual users (on the Users : User Management screen, by editing each user's details). Then, you can double-click the PKCS#12 client certificate packages to distributed them to users, and install them on the client computers.
  • If your company does not have a PKI in place, but has purchased or generated an appropriate root CA certificate for issuing client certificates, you can install it on the FirePass controller (including the private key), and the FirePass controller can perform the same functions as those described for the self-signed client root CA certificate.
Note

Use of smart card-based security solutions is fully supported with the FirePass controller. With these solutions, a client certificate is made available to the user's web browser, and this certificate is then provided to the FirePass controller as part of initial SSL session negotiation. You must install the issuing client root certificate on the FirePass controller which corresponds to the client certificate provided by the user's smart card.

Using CRLs and OSCP

A certificate revocation list (CRL) is a list of revoked certificates. The CRL describes the reason for the revoked status of the certificate, and provides the certificate's issue date and originator. The list also notes its next update.

When a user with a revoked client certificate attempts to log on to the FirePass controller, the FirePass controller allows or denies access based on the user's CRL entry.

A CRL is one of two common methods for maintaining valid, certificate-based access to servers in a network. The other method is Online Certificate Status Protocol (OCSP), and it has superseded CRL in some instances. The main limitation of CRL is that the current state of the CRL requires frequent updates. On the other hand, OCSP checks certificate status in real time. You can read more about OCSP in Using OCSP to validate client certificates .

On the Device Management : Security : Certificates screen, you can configure the FirePass controller to periodically retrieve CRLs from specified URLs using HTTP or HTTPS.

Note

You should not configure CRL updates if you are using the FirePass controller to generate and issue client certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate from a trusted CA). In this case the FirePass controller manages CRLs internally.

On the FirePass controller, you must specify CRLs in PEM format, beginning with '-----BEGIN X509 CRL-----' and ending with '-----END X509 CRL-----'.

Using OCSP to validate client certificates

The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation status of a certificate. OCSP provides more timely revocation information than is possible using CRLs, and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of that certificate until the responder provides a response.

The FirePass controller supports OCSP validation of client certificates. For a step-by-step procedure, see the online help for the Device Management : Security : Certificates screen.

Note

Do not use Client Certificate OCSP if you are using the FirePass controller to generate/issue client certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate issued by a trusted CA). In this case, the FirePass controller is managing CRLs internally.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)