SonicWALL Internet Security Appliances Network Router User Manual


 
SonicWALL VPN Page 217
Overview of Third Party Digital Certificate Support
X.509 Version 3 Certificate Standard
X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows
you to define extensions which you can include with your certificate. SonicWALL has implemented
this standard in its third party certificate support. You can use a certificate signed and verified by a
third party CA to use with a VPN SA.
A typical certificate consists of two sections: a data section and a signature section. The data section
typically contains information such as the version of X.509 supported by the certificate, a certificate
serial number, information, information about the user’s public key, the Distinguished Name (DN),
validation period for the certificate, optional information such as the target use of the certificate.
The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital
signature.
To implement the use of certificates for VPN SAs, you must locate a source for a valid CA certificate
from a third party CA service. Once you have a valid CA certificate, you can import it into the
SonicWALL to validate your Local Certificates.
Importing CA Certificates into the SonicWALL
After your CA service has validated your CA Certificate, you can import it into the SonicWALL and use
it to validate Local Certificates for VPN Security Associations. To import your CA Certificate into the
SonicWALL, use the following steps:
1. Click VPN, then CA Certificates.
2. Click Browse, and locate the PKCS#7 or DER encoded file sent by the CA service.
3. Click Open to set the directory path to the certificate, and then click Import to import the
certificate into the SonicWALL. Once it is imported, you can view the Certificate Details.
Certificate Details
The Certificate Details section lists the following information:
Certificate Authority
Subject Distinguished Name
Certificate Issuer
Certificate Serial Number
Expiration Date
No CRL loaded/CRL Expires on
The Certificate Issuer, Certificate Serial Number, and the Expiration Date are generated by the CA
service. The information is used when a Generate Certificate Signing Request is created and sent
to your CA service for validation.
To delete the certificate, click Delete This Certificate. You can delete a certificate if it has expired or
if you decide not to use Third Party Certificates for VPN authentication. Click Export This CA
Certificate to export the file to your hard drive or a floppy disk