Adding a smart card identity

Smart card identities are associated with Microsoft Windows accounts, and therefore associated with a unique user. This user's certificate is signed by a certification authority that provides access to CRLDPs to check the validity of the certificate, then published in an Active Directory (or an LDAP directory). Since the firewall is able to check the user's Windows account against an authentication policy and confirm the information in the corresponding certificate, it can allow smart card-connected users to access your organization's network resources.

Creating a smart card identity

  1. Click on Add.
  2. Select Smart card identity.
  3. Enter a CN (mandatory).
    This is a name that will help you identify the user, and is restricted to 64 characters.
  4. Enter an ID (optional).
    Here, you can add a shortcut to your CN, which will be useful for command lines (e.g., if the CN is a first name+last name pair, the identifier may correspond to the initials of the CN).
  5. Enter the E-mail address (mandatory) of the user for whom you are creating an identity.
  6. In the Main user name (Windows) field, enter the name of the user's Active Directory account.
  7. Click on Next.
  8. Select the Parent authority that will sign the certificate.
  9. Enter the Top CA passphrase.
    The attributes of the authority will be added automatically and can be found in the smart card certificate.
  10. Click on Next.
  11. When the firewall has a TPM that has been initialized, select the checkbox Protect this identity with the TPM to protect the identity's private key with the TPM.
  12. Where necessary, change the duration of the certificate's Validity (days).
    The recommended value is 365 days (suggested by default).
  13. The Key size (bits) of the certificate can also be changed.
    Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
  14. Click on Next.
    You will be shown a summary of the information you entered.
  15. Click on Finish.

Displaying certificate details

Click once on the identity to display its detailed information on the right side of the screen:

“Details” tab

Data about the identity is shown in six windows:

  • Its Usage: the modules in which the identity certificate is used, and any TPM-protected private key of the identity, if the firewall is equipped with a TPM.
  • The duration of its Validity: when its certificate was issued and when it expires,
  • Its recipient (Issued for): details about the user (name, email address, etc.) and the subject of the certificate.
  • Its Issuer: the parent authority,
  • Its Fingerprints: serial number of the certificate, encryption and signature algorithms used, etc.

Revocation (CRL) tab

  • The URLs of the parent authority's CRL distribution points,
  • The URLs of OCSP servers if OCSP is used in certificate renewal.

Publishing an identity in the LDAP directory

If a user that was declared in the LDAP directory indicates the same e-mail address as the one given for a user certificate, this identity can be associated with the user.

Do note that this can only be done if the authority used to generate the identity is the firewall's default authority.

In this case:

  1. Select the relevant identity by clicking once,
  2. Click on the Actions menu.
  3. Select LDAP publication,
  4. In the pop-up window that appears, enter the password that will protect the PKCS#12 container.
  5. Click on Publish certificate.