Table of Contents
Advertisement
VPN menu features
Certificate management
For operating systems other than Windows, OpenSSL is available for free download at www.openssl.org.
Extracting a PKCS12 certificate
Use this procedure to extract a certificate in PKCS12 format so it can be used on the UTM Firewall
appliance.
To extract the CA certificate, run:
openssl pkcs12 -nomacver -cacerts -nokeys -in pkcs12_file -out ca_certificate.pem
.. where pksc12_file is the PKCS12 file issued by the CA and ca_certificate.pem is the CA
certificate to be uploaded into the UTM Firewall appliance.
When the application prompts you to Enter Import Password, enter the password used to create the
certificate. If none was used simply press enter.
To extract the local public key certificate type, enter the following at the Windows command prompt:
openssl pkcs12 -nomacver -clcerts -nokeys -in pkcs12_file -out local_certificate.pem
.. where pksc12_file is the PKCS12 file issued by the CA and local_certificate.pem is the local
public key certificate to be uploaded into the UTM Firewall appliance.
When the application prompts you to Enter Import Password, enter the password used to create the
certificate. If none was used simply press enter.
To extract the local private key certificate type, enter the following at the Windows command prompt:
openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem
.. where pksc12_file is the PKCS12 file issued by the CA and local_private_key.pem is the local
private key certificate to be uploaded into the UTM Firewall appliance.
When the application prompts you to Enter Import Password, enter the password used to create the
certificate. If none was used simply press enter. When the application prompts you to Enter PEM pass
phrase, choose a secure pass phrase that is greater than 4 characters long. This is the pass phrase used to
secure the private key file, and is the same pass phrase you enter when uploading the private key
certificate into the UTM Firewall appliance. Verify the pass phrase by typing it in again.
The UTM Firewall appliance also supports Certificate Revocation List (CRL) files. A CRL is a list of certificates
that have been revoked by the CA before they have expired. This may be necessary if the private key
certificate has been compromised or if the holder of the certificate is to be denied the ability to establish a
tunnel to the UTM Firewall appliance.
Creating a self-signed certificate
There are two steps to create a self-signed certificates: First, create a single CA certificate; second, create
one or more local certificate pairs and sign them with the CA certificate.
Step 1: Creating a CA certificate
Create the CA directory:
1
mkdir rootCA
Create the serial number for the first certificate:
2
echo 01 > rootCA/serial
Create an empty CA database file under Windows:
3
type nul > rootCA/index.txt
.. or under Linux:
touch rootCA/index.txt
Create the CA certificate, omit the –nodes option if you want to use a password to secure the CA key:
4
290
McAfee UTM Firewall 4.0.4 Administration Guide
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
