Possible operations

Search bar

Enter the name of the particular certificate or CA you are looking for if it exists.

The search field will list all certificates and CAs with names that correspond to the keywords entered.

Example:

If you type “a” in the search bar, the list below it will show all certificates containing an “a”.

Filter

This button allows you to select the type of certificate to display and to view only items that are relevant to you. A drop-down menu will offer you the following choices:

All

Represented by the icon, this option allows displaying all existing authorities and certificates in the list on the left.

Certificate authorities

Represented by the icon, this option allows displaying all existing authorities and sub-authorities in the list on the left.

User certificates

Represented by the icon, this option allows displaying only user certificates and the CA that they depend on.

Server certificates

Represented by the icon, this option allows displaying only server certificates and the CA that they depend on.

Smartcard certificates

Represented by the icon, this option allows displaying only Smartcard certificates and the CA that they depend on.

Add

The Certificates and PKI module window makes it possible to Add several types of authorities:

For each of them, a wizard will appear so that the authority’s properties can be defined.

To find out which characters are allowed or prohibited in various fields, please refer to section Allowed names.

NOTE

You can now add CRLDPs (Certificate Revocation List  Distribution Points) for CAs imported via the GUI.

Delete

This button relates to the left column. Select the item from the list of CAs, sub-CAs or certificates that you wish to remove and click on Delete.

Action

This button relates to the left column. Select a CA, sub-CA or certificate from the list and click on the Action button. The possible actions vary according to the type of object selected.

Actions on a CA or sub-CA

Create or renew a CRL

A CRL (Certificate Revocation List) is a list of certificate IDs that have been revoked or are no longer valid and are no longer trustworthy. The certificate authority signs this list in order to prevent it from being modified by unauthorized parties.

 

This action allows creating or renewing a CRL for the selected CA or sub-CA.

 

You need to enter the password that protects the authority, and then click on Create or renew a CRL.

Remove the CRL

This action allows deleting the CRL for the selected CA or sub-CA.

REMARK

This action is not available (grayed-out option) when the CA or sub-CA does not have a CRL.

Set as default

This action allows defining the certificate authority used by default on the Firewall.

Actions on a certificate

Delete private key

This action allows deleting a certificate’s private key. When the certificate is used in the firewall’s configuration, you will be asked to confirm the deletion. It will then be possible to:

  • Cancel the deletion (click on Cancel),
  • Display configuration elements in which the certificate is used (click on Check certificate use),
  • Confirm the deletion of the private key (click on Confirm deletion).

REMARK

This action is not available (grayed-out option) when the selected certificate does not have a private key.

LDAP publication

This action allows publishing a user’s certificate in the LDAP directory. To do so, the e-mail address specified in the creation wizard for this certificate must be the same as the one used in the user’s properties in the firewall directory.

 

When the user has a private key, you will be asked to enter a password to protect this certificate and its private key in a directory. Next, confirm this password. A gauge will indicate the password’s level of security: “Very weak”, “Weak”, “Moderate”, “Good” or “Excellent”. You are strongly advised to use a combination of uppercase and lowercase letters, numbers and special characters.

Download

This button allows you to download CAs, sub-CAs and certificates, by selecting them from the list on the left.

  1. A window will open offering you the following options:

Open with – Browse

or

Save file

A certificate import wizard will then appear, if you have selected “Open with”. It helps to copy certificates, list of trusted certificates and CRLs from your hard disk to the certificate library.

A certificate sent by a CA is a confirmation of your identity and contains information used in protecting your data and establishing secure network connections.

  1. Click on Next and select the file to import.
  2. Next, enter the password. Two options are available:
  • Enable increased protection for private keys. You will be asked to enter the private key each time an application uses it, if you enable this option.
  • Tag this key as exportable. This will allow you to transport your keys later.
  1. Click on Next, and you will access the certificate library. Windows may automatically select the certificate library, or you can specify the location of the certificate.

Two options are available:

  • Automatically select the certificate library according to the type of certificate.
  • Add all certificates to the following library: select the location by clicking on “Browse”.
  1. Click on Next, you will reach the end of the certificate import wizard which summarizes the parameters that you have configured.
  1. Click Finish. A “Security warning” screen may appear and ask you to confirm the installation of your certificate (this will depend on your OS configuration).


The ‘downloads’ menu will also offer the export of a certificate revocation list (CRL) in PEM or DER format.

NOTE

Any issues encountered during this procedure are beyond Stormshield Network’s competence.

Check usage

You can look for the features or modules that use the selected certificate.