Adding authorities and certificates

The Add button has a drop-down list offering 6 options that will enable the creation of an authority or a certificate, via a wizard.

Adding a root authority

A root authority or “root CA” is an entity that signs, sends and maintains certificates and CRLs (Certificate Revocation Lists).

You will need to define the properties of the authority you wish to add:

WARNING

This information cannot be modified after the creation of the authority is confirmed.

 

CN

Enter a name that would allow you to identify your root authority, limited to a maximum of 64 characters. This name may refer to an organization, a user, a server, a host, etc.

 

Example

Stormshield Network

NOTE

This field has to be entered in order to continue the configuration.

Identifier

Even though this field is not mandatory, you can indicate here a shortcut to your CN, which will come in handy for your command lines.

 

Example

If you had selected a first name and last name for your CN, the ID may indicate just the initials.

Select the parent CA (if necessary)

Selecting a parent authority involves first entering the authority’s attributes in the fields below.

Parent CA

Even though a CA is made up of certificates, it can also involve sub-CAs that depend on it.

 

A sub-CA can only be used after the identification of its “Parent authority” or CA.

Password for the parent CA

Define a password if you wish to indicate that you are indeed in charge of the parent CA.

Certificate authority attributes

During this step, you will need to enter general information regarding the authority that you wish to implement. The information entered will be found in your CA’s certificate and in your users’ certificates.

NOTE

For sub-CAs, these data are already pre-entered. And unless you modify the configuration, not all of this information can be modified later.

Organization (O)

Name of your company (e.g.: COMPANY).

Organizational Unit (OU)

"Branch" of your company (e.g.: INTERNAL).

Locality (L)

City in which your company is located (e.g.: Villeneuve d'Ascq).

State or province (ST)

State or province in which your company is located (e.g.: Nord).

Country (C)

Select from the list the country in which your company is located (e.g.: France).

Click on Next.

Next, you will need to secure access to your authority.

In this step of the PKI configuration wizard, you will need to enter a password that will allow you to protect your certificate authority’s private key.

WARNING

You are advised against choosing passwords that are too easy. We recommend that you mix uppercase and lowercase letters with numbers and special characters.

Certificate authority password

Password (min. 8 char)

Enter a password of at least 8 characters in order to protect access to your CA.

WARNING

The firewall will not save this password. If you forget your password, you will need to reinitialize the PKI and as such, you will lose the configuration parameters that you had defined for it.

Confirm password

Type your password again in this field in order to confirm it.

Mandatory password strength

This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”.

You are strongly advised to use uppercase letters and special characters.

E-mail address

Entering your e-mail address in this field will allow you to receive a message confirming that your authority has been created.

 

Key size (bits)

When you create a CA, you need to select the size of the key that the firewall will generate in order to allow traffic encryption. The larger the key, the more secure it is.

4 key sizes (in bits) are available:

1024

If you select this key size, the password generated for your authority will be 1024 bits.

NOTE

This number corresponds to 1024 characters visible in the console on your workstation.

1536

If you select this key size, the password generated for your authority will be 1536 bits.

2048

If you select this key size, the password generated for your authority will be 2048 bits.

4096

If you select this key size, the password for your authority should not exceed 4096 bits.

WARNING

Even though large keys are more effective, you are advised against using this key with entry-level appliances as this will mean the key will take a long time to be generated.

NOTE

The computation of big keys may slow down your Stormshield Network appliance.

 

Validity (days)

This field corresponds to the number of days for which your certificate authority and consequently your PKI, will be valid. The date affects all aspects of your PKI as indeed, once this certificate expires, all user certificates will also expire. This value cannot be modified later.

NOTE

The value of this field must not exceed 3650 days.

 

Click on Next.

In this step of the wizard, you will need to enter the configuration regarding the distribution of the CRL (Certification Revocation List). This information will be embedded in the generated CAs and will allow applications that use the certificate to automatically retrieve the CRL in order to check the certificate’s validity.

You can now manage your certificate revocations in the table that appears on the screen and enter the URLs that act as distribution points for revoked (invalid) certificates.

 

Add

When you click on this button, a new line will appear allowing you to enter a URL as a distribution point for certificate revocation lists.

 

The first URL you enter will be numbered “1” and so on for the URLs that follow. The firewall will process items in the CRL according to their order of appearance on the screen.

Delete

Select the line to delete and click on this button to remove it from the list.

Move up

Move your URL up one line in the order of priority in the table by clicking on this button.

Repeat this operation until your URL reaches the number you wish to assign to it.

Move down

Bring down your URL one or several places in the list using this button.

The following window sets out a summary of the information in your certificate.

Click Finish.

You will now see in the left column of the Certificates and PKI screen the CA that you have just created, represented by the icon (which represents the default CA).

By clicking on the relevant CA, detailed information about it will be displayed on the right side of the screen in 3 tabs:

“Details” tab

This tab contains 4 sections setting out data concerning the “Validity” of the authority, its recipient (“Issued for”), its “Issuer” and its “Fingerprint” (information about the CA and its version).

“CRL” tab

Rounds up information regarding the CRL: its la validity including the last and next update, the table of distribution points and the table of revoked certificates which should contain a serial number, a revocation date and a reason for the revocation (optional).

The maximum lifetime of certificates has been increased to ten years.

“Properties” tab

This tab presents the Key size (bits), the Validity (days) and the Encryption algorithm for the certification authority (including the CRL validity (days) for the CA, limited to a maximum of 3650 days), user certificates, Smartcard certificates and server certificates.

Adding a sub-CA

During the creation of a sub-CA, the windows are similar to those for the root CA. The configuration wizard for a sub-CA requires a “parent” reference from which it will copy information.

The CA selected as a reference for the sub-CA will be the default CA, or the last CA selected before clicking on “Add a sub-CA”.

You will need to enter a CN and an ID to begin with. Next, enter the password of the parent authority in the field “Password for the parent CA".

The icon allows you to view the password in plaintext to check that it is correct.

 

Click on Next.

The screen that follows will ask for the password of your CA and a confirmation.

You can also enter your E-mail address, Key size (in bits), as well as the duration of your sub-CA’s Validity (in days).

You will then see a summary of the information entered.

NOTE

To view your sub-CA in the list to the left, expand the parent CA to which it is attached.

 

Click Finish.

By clicking on the relevant sub-CA, detailed information about it will be displayed on the right side of the screen in 3 tabs:

“Details” tab

These 4 sections will contain the same data concerning the “Validity” of the authority, its recipient (“Issued for”), its “Issuer” and its “Fingerprint” (information about the product and its version).

“CRL” tab

Rounds up information regarding the CRL: its la validity including the last and next update, the table of distribution points and the table of revoked certificates which should contain a serial number, a revocation date and a reason for the revocation (optional).

“Properties” tab

This tab presents the Key size (bits) and the Validity (days) for the certification authority (including the CRL validity (days) for the CA, limited to a maximum of 3650 days), user certificates, Smartcard certificates and server certificates.

Adding a user certificate

In the configuration wizard, the administrator will specify information relating to the user for whom he wishes to create a certificate, by entering the user’s e-mail address.

Once the certificate has been generated and published by the administrator, the user will receive a confirmation e-mail that his certificate has been created and will be able to use it for logging on (if the e-mail sending option has been enabled).

NOTE

The user certificate also depends on a parent CA, and will therefore select the default CA. Click on the button Add a user certificate.

 

Name (CN) (mandatory)

Enter your user’s name, limited to a maximum of 64 characters.

NOTE

This field has to be entered in order to continue the configuration.

Identifier

Even though this field is not mandatory, you can indicate here a shortcut to your CN, which will come in handy for your command lines.

 

Example If you had selected a first name and last name for your CN, the ID may indicate just the initials.

E-mail address (mandatory)

In this field, enter the e-mail address of the user for whom you wish to create a certificate.

Next, you will need to specify various options for your user certificate.

The field “Validity” is set by default to 365 days, and the field Key size to 2048 bits.

NOTE

To view your certificate created in the list to the left, expand the parent CA to which it is attached.

 

Publication in LDAP directory

You can choose to associate the user certificate with your LDAP database by selecting the option “Publish this certificate in the LDAP directory”.

If this option is selected, the certificate can be directly linked to its user if this user exists in the LDAP database and consequently make the Authentication process easier.

For this, the e-mail address specified during the creation of the user certificate in the wizard has to be the same as the address used in the user profile in the firewall’s user database.

Password of the published PKCS#12 container (min. 8 char)

The PKCS#12 container is a file format that allows storing the private key and the user certificate as well as the CA’s certificate.

Enter a password in order to protect the data for the 3 items mentioned above.

Confirm password

Type your password again in this field in order to confirm it.

Mandatory password strength

This field indicates your password’s level of security: “Very Weak”, “Weak”, “Medium”, “Good” or “Excellent”.

You are strongly advised to use uppercase letters and special characters.

Click Next.

The following windows set out the information about the pre-selected parent CA as well as a summary of the data in the user certificate.

Click Finish.

By clicking on the relevant certificate, detailed information about it will be displayed on the right side of the screen in a single tab:

“Details” tab

These 4 sections will contain the same data concerning the “Validity” of the authority, its recipient (“Issued for”), its “Issuer” and its “Fingerprint” (information about the product and its version).

Adding a Smartcard certificate

The Smartcard certificate is linked to a Microsoft Windows account associated with a user and a certificate. It allows signing and issuing certificates that allow the authentication of registered users in the Active Directory (see document on Directory configuration (LDAP)\Connection to a Microsoft Active Directory), and also in your LDAP database.

NOTE

Each user will be assigned a Windows account. Consequently, each user is assigned a Smartcard certificate. The CA used must have defined CRLDPs.

 

Name (CN) (mandatory)

Enter a name for the Smartcard certificate, limited to a maximum of 64 characters.

Identifier

Even though this field is not mandatory, you can indicate here a shortcut to your CN, which will come in handy for your command lines.

Example If you had selected a first name and last name for your CN, the ID may indicate just the initials.

E-mail address (mandatory)

In this field, enter the e-mail address of the user for whom you wish to create a certificate.

Main user name (Windows)

Enter the name of the owner of the Windows account for whom you wish to create a Smartcard certificate.

Proceed in the same way as for adding a user certificate:

Specify the various options for your Smartcard certificate. The field “Validity” is set by default to 365 days, and the field Key size to 1024 bits.

You can then “Publish this certificate in the LDAP directory” by selecting the relevant option, and define a password that you will confirm for the PKCS#12 container.

After having clicked on Next, select a parent CA for your certificate and enter its password. You will see a summary of the data that was entered.

Click Finish.

By clicking on the relevant certificate, detailed information about it will be displayed on the right side of the screen in a single tab:

“Details” tab

These 4 sections will contain the same data concerning the “Validity” of the authority, its recipient (“Issued for”), its “Issuer” and its “Fingerprint” (information about the product and its version).

Adding a server certificate

The server certificate is installed on a web server and allows providing a link between them.

In the case of a website, it allows checking that the URL and its DN (domain name) belong to the stated company.

Define the properties of the server certificate through the wizard.

 

Fully Qualified Domain Name (FQDN)

The FQDN represents the full name of a host in a URL, such as HOST (e.g. www) and a domain name (such as company.com).

Example www.company.com

Identifier

Even though this field is not mandatory, you can indicate here a shortcut to your CN, which will come in handy for your command lines.

Example Stormshield Network (owner of the FQDN)

Proceed in the same way as for adding a user certificate or a Smartcard certificate:

Specify the various options for your server certificate. The field “Validity” is set by default to 365 days, and the field Key size to 2048 bits.

 

You can then “Publish this certificate in the LDAP directory” by selecting the relevant option, and define a password that you will confirm for the PKCS#12 container.

After having clicked on Next, select a parent CA for your certificate and enter its password. You will see a summary of the data that was entered.

Click Finish.

By clicking on the relevant certificate, detailed information about it will be displayed on the right side of the screen in a single tab:

“Details” tab

These 4 sections will contain the same data concerning the “Validity” of the authority, its recipient (“Issued for”), its “Issuer” and its “Fingerprint” (information about the product and its version).

Importing a file

By clicking on this button, you can import a file (containing your certificate) through the configuration wizard.

This will save you the hassle of having to go through the steps of creating the CA, sub-CA or certificates.

File to import

By clicking on the icon, to the right of the field, you will be able to browser your computer or your web browser to look for a certificate (if you have created one earlier).

File format

3 file formats are suggested:

  • Base64 format (PEM - Privacy-enhanced Electronic Mail), It allows encoding X509 certificates in Base64. A PEM-type certificate may look like this:

-----BEGIN CERTIFICATE-----

MIIDdzCCAuCgAwIBAgIBBzANBgkqhkiG9w0BAQQFADCBpDELMAkGA1UEBhMCQ0gxCzAJBgNVBAgTAkdFMQ8wDQYD

VQQHEwZHZW5ldmExHTAbBgNVBAoTFFVuaXZlcnNpdHkgb2YgR2VuZXZhMSQwIgYDVQQLExtVTklHRSBDZXJ0aWZpY

2F0ZSBBdXRob3JpdHkxETAPBgNVBAMTCFVuaUdlIENBMR8wHQYJKoZIhvcNAQkBFhB1bmlnZWNhQHVuaWdlLmNoMB

4XDTk5MTAwNDE2MjI1N1oXDTAwMTAwMzE2MjI1N1owgbExCzAJBgNVBAYTAkNIMQswCQYDVQQIEwJHRTEPMA0GA1

UEBxMGR2VuZXZhMR0wGwYDVQQKExRVbml2ZXJzaXR5IG9mIEdlbmV2YTEeMBwGA1UECxMVRGl2aXNpb24gSW5mb

3JtYXRpcXVlMRowGAYDVQQDExFBbGFpbiBIdWdlbnRvYmxlcjEpMCcGCSqGSIb3DQEJARYaQWxhaW4uSHVnZW50b2J

sZXJAdW5pZ2UuY2gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALIL5oX/FR9ioQHM0aXxfDELkhPKkw8jc6I7BtSY

Jk4sfqvQYqvOMt1uugQGkyIuGhP2djLj6Ju4+KyKKQVvDJIu/R1zFX1kkqOPt/A2pCLkisuH7nDsMbWbep0hDTVNELoKVoVIA

azwWMFlno2JuHJgUcs5hWskg/azqI4d9zy5AgMBAAGjgakwgaYwJQYDVR0RBB4wHIEaQWxhaW4uSHVnZW50b2JsZXJAd

W5pZ2UuY2gwDAYDVR0T200BAUwAwIBADBcBglghkgBhvhCAQ0ETxZNVU5JR0VDQSBjbGllbnQgY2VydGlmaWNhdGUsI

HNlZSBodHRwOi8vdW5pZ2VjYS51bmlnZS5jaCBmb3IgbW9yZSBpbmZvcm1hdGlvbnMwEQYJYIZIAYb4QgEBBAQDAgSwM

A0GCSqGSIb3DQEBBAUAA4GBACQ9Eo67A3UUa6QBBNJYbGhC7zSjXiWySvj6k4az2UqTOCT9mCNnmPR5I3Kxr1GpWT

oH68LvA30inskP9rkZAksPyaZzjT7aL//phV3ViJfreGbVs5tiT/cmigwFLeUWFRvNyT9VUPUov9hGVbCc9x+v05uY7t3UMeZejj8

zHHM+

-----END CERTIFICATE----

 

The markers "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" frame the block of lines (the number of which is variable), each being 64 characters-long [A-Za-z0-9/+].

It is a format which is often transmitted by e-mail because this format is resistant to distortions caused by mail software.

 

The PEM file is a text file which contains this type of information.

Likewise, a CRL file type contains chains of coded characters in Base64 framed by markers

like "-----BEGIN X509 CRL-----" and "-----END X509 CRL-----".

As for the private key file, it contains character strings encoded in Base64 framed by

markers like: "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----".

  • Binary format (DER - Distinguished Encoding Rules), containing the user’s certificate in binary format.
  • Container (PKCS#12), containing the private key and the user certificate as well as the CA’s certificate. Furthermore, it is encrypted.
File password (if PKCS#12)

Define a password for the PKCS#12 file, if this is the format you have chosen (the same as for publishing the user certificate in the LDAP).

The icon allows you to view the password in plaintext to check that it is correct.

Items to import

Given that each file format contains different items, you can choose to import a file or part of it through the following choices.

All: Imports all items contained in your files.

 

Or select only the following:

Certificate(s) Private key (s) CRL Certification authority (CA) Request(s)
Overwrite existing content in the PKI

If you select this option, contents similar to the items above will be overwritten in the PKI, in favor of new certificates/private keys/CAs and requests.

 

Click Next. You will see a summary of the data regarding the import of your file (its name, format and items to import).

Click on Finish.