Secure Computing ADMINGUIDEREVA Manual page 24

Identifying authentication requirements
A closer look at self-signed
certificates
Figure 2-2. Sidewinder
self-signed certificate
2-4 Planning Your VPN Configuration
If not already done, decide if you will use self-signed certificates
generated by Sidewinder or a public/private CA server.
Table 2-1. Sidewinder self-signed certificates versus CA-based certificates
Scenario
Using self-signed certificates
(for a small number of VPN
clients)
Using CA-based certificates
(for a medium to large
number of VPN clients)
A VPN implemented using Sidewinder self-signed certificates does not
require an external certificate authority and is relatively easy to
configure for a small number of (less than 10) clients. However, one
VPN association must be configured on Sidewinder for each client. As
the number of configured clients grows, so does the administrative
time. Figure 2-2 shows the certificates involved in a VPN using
Sidewinder self-signed certificates.
summary
Protected Network
Admin creates firewall private key and
1
certificate
Admin creates client private key/
2
certificate pair(s)
Admin converts client private key &
3
exports certificate files to PK12 object
Firewall certificate imported to Soft-PK,
4
(private key remains on Sidewinder)
Client private key and certificate file
5
(PKCS12) imported into Soft-PK
Profile
Š
No CA needed
Š
Requires one VPN association for each client
Š
Uses a private or public CA
Š
Single VPN association for all clients
Š
Can make VPN deployment and management
more efficient
Firewall
1
Cert.
*.pem
Internet
Sidewinder
Client
Cert.
*.pem
2
3
*.pk1
PK12 object for
importing to
Soft-PK
Note: A self-signed certificate created
on Sidewinder remains valid for one
year beginning from the date it is
created.
Firewall
Cert.
4
Soft-PK
Client
Cert.
5