|
|
|
|||
|
|
||||
Dreez's
PKI Single Sign-On Project
Create Firewall VPN Certificate
Revision Control
|
Date |
Modifications |
| 2/1/2001 | Initial |
Contact Dreez: mje@secev.com
Overview
The end-game with certificate based authentication is to have all entities have certificates signed by a common trusted Certificate Authority (CA). This CA is known as the CA Root. In our scenario, there are two types of certificates that the CA Root will verify and sign:
When the client contacts the firewall to use the VPN, the client and firewall exchange certificates and verify that they both came from a common CA Root.
This section describes the process by which a certificate is loaded onto the Checkpoint firewall that authenticates the firewall to the client. This firewall certificate is signed by the Root CA. This certificate is used to authenticate the firewall to the client during VPN connection negotiations. This section describes how the certificate is linked into the VPN negotiation process.
Process
Logon to the firewall as an administrator. Double click on the firewall object and look at the certificates tab.
This tab lists the firewall certificates assigned to the firewall. You can add more certificates or update existing ones through this menu.
We will add a new certificate to the firewall. Click on Add, and specify the CA Server created previously.
At this point, the firewall has to generate a request for a new certificate to the Root CA. This process involves generating public and private keys locally on the firewall. Then the public key will be sent to the Root CA to be signed.
Fill in a CN name. Make sure your format is in the diagram below. "CN=" followed by a name with no spaces. Just FYI, this name is ignored and not used in the future. The CA will use its own name instead.
After you generate the keys, look at the results. You are looking at a request for the Root CA to sign the public key of the firewall.
You will have to copy and paste this request into the Root CA web interface. Start up the Root CA web interface.
Make sure you specify an advanced request.
Now this next form permits you to paste the firewall request into the web interface.
This is where you paste the request into the web interface. The certificate template really doesn't matter.
The result is a firewall public key signed by the Root CA inside a certificate. At this point you can save the firewall certificate onto the hard drive. Make sure you choose the DER encoded option!
The next step is to load the new firewall certificate onto the firewall. Back inside the firewall certificate menu (continued from above), you click the GET key to retrieve the certificate from the local hard drive.
The firewall will display the certificate. Note the CN name changed, NO PROBLEM!!!! This is ignored.
Note the times it is extremely important these are accurate and in synch with the CRL machine, CA machine and firewall and client.
Note the CRL points. Once again make sure this machine is accessible from the firewall.
After the firewall certificate is loaded onto the firewall, we have to link the certificate into VPN authentication. Close all the certificate tab windows and go to the VPN tab.
We suggest that before you even try working with PKI, make sure secure remote works with standard IKE and username password. In this case the Export button should be checked. This exports the firewall authentication information to Secure Remote clients upon connection authentication.
Within the IKE menu edit the properties. I suggest you use all forms of key negotiation for the time being just to make sure things work. After you make things work, you can uncheck the items that are not used and possibly speed up negotiations. Same with Hash Methods and authentication methods, the more the better for now.
Next let's assign the freshly load firewall certificate into the VPN. This associates the certificate with VPN authentication and encryption.
Debugging
Home | Services | Training | Support | Contact Us | Search
Copyright 2006, Security Evolution, Inc.