Adding a user identity
In the configuration wizard, enter the information relating to the user for whom you are creating an identity.
Creating a user identity
- Click on Add.
- Select User identity.
- Enter a CN (mandatory).
This is a name that will help you identify the user, and is restricted to 64 characters.
- Enter an ID (optional).
Here, you can add a shortcut to your CN, which will be useful for command lines (e.g., if the CN is a first name+last name pair, the identifier may correspond to the initials of the CN).
- Enter the E-mail address (mandatory) of the user for whom you are creating an identity.
- Click on Next.
- Select the Parent authority that will sign the certificate for the identity.
- Enter the Top CA passphrase.
The attributes of the authority will be added automatically and can be found in the user certificate.
- Click on Next.
- When the firewall has a TPM that has been initialized, select the checkbox Protect this identity with the TPM to register this identity on the TPM.
- Where necessary, change the duration of the certificate's Validity (days).
The recommended value is 365 days (suggested by default).
- The Key size (bits) of the certificate can also be changed.
Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
If a user that was declared in the LDAP directory indicates the same e-mail address as the one given in step 4, this identity can be automatically associated with the user.
However, this can only be done if the authority used to generate the certificate is the firewall's default authority. In this case:
- Select Publish this identity in the LDAP directory,
- Enter the password that will protect the PKCS#12 container of the identity.
- Click on Next.
You will be shown a summary of the information you entered.
- Click on Finish.
The identity will automatically be added to the tree of authorities, identities and certificates defined on the firewall, under its parent authority.
Displaying identity details
Click once on the identity to display its detailed information on the right side of the screen:
Data about the identity is shown in six windows:
- The duration of its Validity: when its certificate was issued and when it expires,
- Its recipient (Issued for),
- Its Issuer: the parent authority,
- Its Fingerprints: serial number of the certificate, encryption and signature algorithms used, etc.
Revocation (CRL) tab
- The URLs of the parent authority's CRL distribution points,
- The URLs of OCSP servers if OCSP is used in certificate renewal.
If a user that was declared in the LDAP directory indicates the same e-mail address as the one given for a user certificate, this identity can be associated with the user, if you did not already do so while you were creating the identity.
Do note that this can only be done if the authority used to generate this identity is the firewall's default authority.
In this case:
- Select the relevant identity by clicking once,
- Click on the Actions menu.
- Select LDAP publication,
- In the pop-up window that appears, enter the password that will protect the PKCS#12 container of the identity.
- Click on Publish certificate.