IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
Adding a smart card certificate
Smart card certificates are associated with Microsoft Windows accounts, and therefore associated with a unique user. This user's certificate is signed by a certification authority so that CRLDPs can check the validity of the certificate, then publish it in an Active Directory (or an LDAP directory).
Since the firewall is able to check the user's Windows account against an authentication policy and confirm the information in the corresponding certificate, it can therefore allow smart card-connected users to access your organization's network resources.
Creating a smart card certificate
- Click on Add and select Add a smart card certificate.
- Enter a Name (CN) (mandatory).
This is a name that will help you identify the user, and is restricted to 64 characters. - Enter an ID (optional).
Here, you can add a shortcut to your Name (CN), which will be useful for command lines (e.g., if the CN is a first name+last name pair, the identifier may match the initials of the CN). - Enter the E-mail address (mandatory) of the user for whom you are creating a certificate.
- In the Main user name (Windows) field, enter the name of the user's Active Directory account.
- Click on Next.
- Select the Certification authority (CA) that will sign the certificate.
- Enter the CA password.
The attributes of the authority will be added automatically and can be found in the smart card certificate. - Click on Next.
- Where necessary, change the duration of the certificate's Validity (days).
The recommended value is 365 days (suggested by default). - The Key size (bits) of the certificate can also be changed.
Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated. - Click on Next.
You will be shown a summary of the information you entered. - Click on Finish.
Displaying certificate details
Click once on the identity to display its detailed information on the right side of the screen:
“Details” tab
Information about the identity is shown in four windows:
- The duration of its Validity: when its certificate was issued and when it expires,
- Its recipient (Issued for),
- Its Issuer: the parent authority,
- Its Fingerprints: serial number of the certificate, encryption and signature algorithms used, etc.
Publishing a certificate in the LDAP directory
If a user that was declared in the LDAP directory indicates the same e-mail address as the one given for a user certificate, this certificate can be associated with the user.
Do note that this can only be done if the authority used to generate this certificate is the firewall's default authority.
In this case:
- Select the relevant certificate by clicking once,
- Click on the Actions menu.
- Select LDAP publication,
- In the pop-up window that appears, enter the password that will protect the PKCS#12 container of the certificate.
- Click on Publish certificate.