Digital Certificates and Firebox SSL VPN Gateway Operation
110 Firebox SSL VPN Gateway
• Install a PEM certificate and private key from a Windows computer. This methods uploads a signed
certificate and private key together. The certificate is signed by a CA and it is paired with the private
key.
Digital Certificates and Firebox SSL VPN Gateway Operation
The Firebox SSL VPN Gateway uses digital certificates to encrypt and authenticate traffic over a connec-
tion. If the digital certificate installed on the Firebox SSL VPN Gateway is not signed by a Certificate
Authority, the traffic is encrypted but not authenticated. A digital certificate must be signed by a Certifi-
cate Authority to also authenticate the traffic.
When traffic over a connection is not authenticated, the connection can be compromised through a
“man in the middle” attack. In such an attack, a third party intercepts the public key sent by the Firebox
SSL VPN Gateway to the Secure Access Client and uses it to impersonate the Firebox SSL VPN Gateway.
As a result, the user unknowingly sends authentication credentials to the attacker, who could then con-
nect to the Firebox SSL VPN Gateway. A certificate that is signed by a Certificate Authority prevents such
attacks.
If the certificate installed on the Firebox SSL VPN Gateway is not signed by a Certificate Authority, Secure
Access users see a security alert when attempting to log on.
Secure Access users see security warnings unless you install a certificate that is signed by a Certificate
Authority on the Firebox SSL VPN Gateway and a corresponding certificate on users’ computers. Users
can also disable the Security Alert through the Secure Access Connection Properties dialog box.
Overview of the Certificate Signing Request
Before you can upload a certificate to the Firebox SSL VPN Gateway, you need to generate a Certificate
Signing Request (CSR) and private key. The CSR is created using the Certificate Request Generator
included in the Administration Tool. The Certificate Request Generator is a wizard that creates a .csr file.
When the file is created, it is emailed to the Certificate Authority for signing. The Certificate Authority
signs the certificate and returns it to you at the email address you provided. When it is received, you can
install it on the Firebox SSL VPN Gateway.
To provide secure communications using SSL/TLS, a server certificate is required on the Firebox SSL VPN
Gateway. The steps required to obtain and install a server certificate on the Firebox SSL VPN Gateway
are as follows:
•
Generate a CSR (myreq.csr) and private key (private.key) using the Certificate Request Generator as
described in “Creating a Certificate Signing Request”.
• Email the myreq.csr file to an authorized certificate provider.
• When you receive the signed certificate file from your Certificate Authority, upload the certificate
using the Administration Tool. The Administration Tool automatically converts the certificate to the
PEM format, which is required by the Access Gateway.
Password-Protected Private Keys
Private keys that are generated with the Certificate Signing Request are stored in an encrypted and
password-protected format on the Firebox SSL VPN Gateway. When creating the Certificate Signing
Request, you are asked to provide a password for the private key. The password is used to protect the