Using Certificates With Windows Ipsec - McAfee SG310 Administration Manual

VPN menu features
Certificate management
openssl req -config openssl.cnf -new -x509 -keyout rootCA/ca.key -out rootCA/ca.pem
-days DAYS_VALID -nodes
.. where DAYS_VALID is the number of days for which the root CA is valid.
Step 2: Creating local certificate pairs
For each local certificate you want to create, there are two steps.
First, create the certificate request:
openssl req -config openssl.cnf -new -keyout cert1.key -out cert1.req
Enter a PEM pass phrase, which is the same pass phrase required when you upload the key to the UTM
Firewall appliance, and then enter the certificate details. All but the Common Name are optional and can
be omitted.
Second, sign the certificate request with the CA:
openssl ca -config openssl.cnf -out cert1.pem -notext -infiles cert1.req
You now have a local certificate pair, the local public certificate cert1.pem and the local private key
certificate cert1.key, ready to use in the UTM Firewall appliance.
For each certificate required, change the cert1.* filenames referenced in the above syntax as appropriate.

Using certificates with Windows IPsec

To create certificates to use with IPSec on a Windows system, first follow the previous instructions to create
a CA certificate and local certificate pairs in
Windows IPSec requires the certificates to be in a PKCS12 format file. This format combines the CA
certificate, local public certificate, and local private key certificate into one file.
openssl pkcs12 -export -inkey cert1.key -in cert1.pem -certfile rootCA/ca.pem -out
cert1.p12 -name "Certificate 1"
To install the new PCKS12 file, cert1.p12, on Windows XP, open up the Microsoft Management Console
1
(Start > Run > then type mmc). The Certificate console appears
Figure 295 Microsoft Management Console
Add the Certificate Snap-in (File > Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears
2
(Figure 296).
McAfee UTM Firewall 4.0.4 Administration Guide
Creating a self-signed certificate.
(Figure 295).
291