Adding a server identity

Server identities are installed on web or application servers so that servers can then authenticate using certificates that match their identity.

In the case of websites, for example, certificates ensure that the URL and its domain name belong to the right organization.

Creating a server identity

  1. Click on Add.
  2. Select Server identity.
  3. Enter a Fully Qualified Domain Name (FQDN) (mandatory).
    The size limit of this field is 64 characters. E.g.: myserver.mycompany.com.
  4. Enter an ID (optional).
    Here, you can add a shortcut to your CN, which will be useful for command lines.
  5. Click on Next.
  6. Select the Parent authority that will sign the certificate for the identity.
  7. Enter the Top CA passphrase.
    The attributes of the authority will be added automatically and can be found in the server certificate.
  8. Click on Next.
  9. When the firewall has a TPM that has been initialized, select the checkbox Protect this identity with the TPM to protect the identity's private key with the TPM.
  10. Where necessary, change the duration of the certificate's Validity (days).
    The recommended value is 365 days (suggested by default).
  11. The Key size (bits) of the certificate can also be changed.
    Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
  12. Click on Next.
  13. If needed, define aliases for the server. These aliases are in the form of a FQDN.
    E.g.: alias1.mycompany.com
  14. Click on Next.
    You will be shown a summary of the information you entered.
  15. Click on Finish.

The identity will automatically be added to the tree of authorities, identities and certificates defined on the firewall, under its parent authority.

Displaying identity details

Click once on the identity to display its detailed information on the right side of the screen:

Details tab

Data about the identity is shown in six windows:

  • Its Usage: the modules in which the identity certificate is used, and any TPM-protected private key of the identity, if the firewall is equipped with a TPM.
  • The duration of its Validity: when its certificate was issued and when it expires,
  • Its recipient (Issued for): details about the server (name, email address, etc.) and the subject of the certificate.
  • Its Issuer: the parent authority,
  • Its Fingerprints: serial number of the certificate, encryption and signature algorithms used, etc.
  • Its Aliases: FQDNs that may have been added when the identity was created.

Revocation (CRL) tab

  • The URLs of the parent authority's CRL distribution points,
  • The URLs of OCSP servers if OCSP is used in certificate renewal.