SSL Certificate (SSL)
After having selected your authentication method from the left column, you may enter information about it in the right column, which sets out the following elements:
List of trusted certificate authorities (CA)
The SSL authentication method accepts the use of certificates that have been signed by a certification authority outside the firewall. This certification authority has to be added in the configuration of the firewall so that it accepts all certificates that have been signed by this authority.
If the certification authority itself is signed by another certification authority, it can then be added to the list of trusted CAs in order to create a “Trusted CA chain”.
If a trusted CA or trusted CA chain is specified in the configuration of SSL authentication, it will be added to the firewall’s internal CA, which is implicitly checked as soon as there is a valid internal root authority on the Firewall.
|Add||Adding a certification authority to a list of trusted certification authorities allows the recognition of this authority and the validation of all certificates signed by this certification authority.
By clicking on Add, then on the icon that appears on the selected line, you will access the CA window (Cf. Certificates and PKI).
If the certification authority you wish to trust is not in the list of external certificates, click on Select in the external certificate window to add this certification authority to the list.
Firewalls support multi-level root authorities – the certificate of the user to be authenticated is signed by a certification authority, which is itself signed by a higher authority. You can insert the whole certification chain created by this multi-level root authority.
In order for the chain to be correctly applied, it is important that you insert every link in the whole chain of authorities between the highest authority you have inserted to the authority just above the user certificate.
Deletes the selected certification authority.
Certification authority (C.A): This field displays the certificates you wish to trust and which you will use.
It is possible to modify the subject field of the certificate that will be used for finding the user in the LDAP. The LDAP field used for the search can also be modified. By default, the e-mail address is used in both cases. These settings can be configured in CLI.
You can enable searches in several LDAP directories.
Various criteria can therefore be defined: for a given directory, you can indicate a character string to look for in a specific field in the certificate. This string needs to be defined in the form of a regular expression.
|Enable searching in several LDAP directories (SSL authentication)||Selecting this checkbox enables searches for users in several LDAP directories and provides access to the search criteria grid.|
List of search criteria
Each criterion is defined by a certificate field, a regular expression and an LDAP directory.
You can Add, Delete, or move a criterion Up or Down the list using the relevant buttons. These criteria are assessed according to the order defined in the grid.
|Field||This drop-down list makes it possible to select the specific field in the certificate that will be queried with character strings.|
|Regular expression||Enter the regular expression that defines the character strings to look for in the certificate's field.|
|Domain or directory||Select the LDAP directory to query in order to authenticate users if the field defined in their certificates contains a string corresponding to the regular expression.|