Overview
The Clavister NetShield Firewall supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this document to a certificate means an X.509 certificate.A certificate is a digital proof of identity. It links an identity to a public key in order to establish whether a public key truly belongs to the presumed owner. By doing this, it prevents data transfer interception by a malicious third-party who might post a fake key with the name and user ID of an intended recipient.
Certificate Components
A certificate consists of the following:A public key: The "identity" of the user, such as name and user ID.
Digital signatures: A statement that tells the information enclosed in the certificate has been vouched for by a Certificate Authority (CA).
By binding the above information together, a certificate is a public key with identification attached and is coupled with a stamp of approval by a trusted party.
A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by a third party.A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.
Certificate Chains
A CA can also issue certificates to other intermediate authorities which themselves can issue host certificates, such as SSL server certificates. This leads to a chain-like certificate hierarchy. The highest certificate is called the Root Certificate and this is signed by the Root CA. Each certificate in the chain is signed by the CA of the certificate directly above it in the chain. However, the root certificate is signed by itself (it is "self-signed"). Any certificates in the chain between the root certificate and the end certificate are called Intermediate Certificates and are often packaged in a certificate chain file provided by intermediate issuing authorities.A Certification Path refers to the path of certificates from one certificate to another. When verifying the validity of a user certificate, the entire path from the user certificate up to the trusted CA root certificate has to be examined before establishing the validity of the host certificate.
The maximum length of a certificate chain is 7 for cOS Stream. In VPN scenarios with roaming clients, the client's certificate will be the bottom of a certificate chain.
A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued.![]() |
Important: Set the system date and time correctly |
---|---|
Make sure the system date and time in the firewall are set correctly when using certificates. Using NTP servers is the recommended method of doing this. |
Trusting Certificates
When using certificates, cOS Stream can trust any party whose certificate is signed by a given CA, either directly or via a chain. Before a certificate is accepted, the following steps are taken to verify its validity:Construct a certification path up to the trusted root CA.
Verify the signatures of all certificates in the certification path.
Fetch the CRL for each certificate to verify that none of the certificates have been revoked.
The upload process will usually consist of a CA Root Certificate and Host Certificate upload plus any intermediate chain certificate files that will be required. The CA root certificate consists of a single certificate file. The host certificate has 2 parts added: a certificate file and a private key file. The files can be in either ASCII PEM format or binary DEM format. Using SCP is described further in Section 2.1.6, Secure Copy.
Self-signed certificates can also be used instead of CA signed certificates.
Creating Certificate Objects and Using Certificate Stores
Once certificate files are uploaded using SCP, Certificate configuration objects have to be created which are associated with these files. When a Certificate object is created, it is added as a child to a CertificateStore object.By default, there is always a single CertificateStore called ipsec and this is the store that must be used for certificates used with IPsec tunnels. However, any number of other named CertificateStore objects can be created so that all the certificates for a particular purpose can be kept together in a single store.
Whenever a reference is made to a Certificate object in the firewall configuration, the reference must be qualified by the name of its parent CertificateStore object. For example, the reference to the Certificate object called my_ca_cert which is located in the store called ipsec would be ipsec/my_ca_cert.
An Example of Certificate Store and Certificate Object Creation
Assume that a CA root certificate file has the filename ca_cert.cer and the host certificate files have the filenames host_cert.cer and host_cert.key. Also assume that in this example there is also a certificate chain file called chain.cer because the host certificate has been issued by an intermediate authority and not a CA.First, the individual files are uploaded to the firewall using SCP. A typical SCP console command on an external management computer might look like the following:
> scp ca_cert.cer admin@192.168.3.1:
Next, in the firewall configuration, create a CertificateStore for the certificates:
System:/>
add CertificateStore mycerts
Change the CLI context to be the store:
System:/>
cc CertificateStore mycertsSystem:/CertificateStore/mycerts>
Then add the Certificate objects as children of the store. The first object is the CA certificate which has its Type property set to Remote:
System:/CertificateStore/mycerts>
add Certificate my_ca_cert
Type=Remote
CertificateData=file://ca_cert.cer
The second object is the host certificate which has its Type property set to Local:
System:/CertificateStore/mycerts>
add Certificate my_host_cert
Type=Local
CertificateData=file://host_cert.cer
PrivateKey=file://host_cert.key
The third object is the certificate chain which has its Type property set to Remote:
System:/CertificateStore/mycerts>
add Certificate my_chain
Type=Remote
CertificateData=file://chain.cer
Finally, change the CLI context back to the default:
System:/CertificateStore/mycerts>
ccSystem:/>
Any reference to these new Certificate objects in the configuration must now be qualified with the name of the CertificateStore that contains them. For example, the CA root certificate would be referenced as mycerts/my_ca_cert. Note that for use with IPsec tunnels, certificates must be placed in the predefined CertificateStore called ipsec. The ipsec store does not need to be created.
Deleting Certificate Stores
Like other object types, deleting a certificate store cannot be done without deleting all the children first. However, this behavior can be changed by using the delete command with the -force option, in which case any children will be deleted with the parent.Certificates Can be Reused
Certificates are global objects that can be reused between, for example, VPN tunnels. Even though a certificate is associated with one VPN tunnel in cOS Stream, it can still be reused with any number of other, different VPN tunnels. The private key of a certificate can be encrypted and access to the key will then require a password. This means that software that uses the certificate will require the password to be entered before the private key can be accessed. Currently, cOS Stream does not provide the ability to allow an encrypted private key to be used.Manually Creating Windows CA Server Requests
To request certificates from a CA server or CA company, the best method is to send a CA Certificate Request which is a file that contains a request for a certificate in a well known, predefined format.It is possible to manually create the required files for a Windows CA server using the following procedure:
Create a host certificate on the Windows CA server and export it as a file in the .pfx format.
Convert the .pfx file into the .pem format.
Take out the relevant parts of the .pem file to form the required .cer and .key files.
The detailed steps for the above procedure are as follows:
Create the host certificate on the Windows CA server and export it to a .pfx file on the local management workstation disk.
Now, convert the local .pfx file to a .pem file. This can be done with the OpenSSL utility using the CLI command line:
> openssl pkcs12 -in host.pfx -out host.pem -nodes
In this command line example, the file exported from the CA server is assumed to be called host.pfx and it is assumed to be in the same local directory as the OpenSSL executable.
The original host.pfx file contained 3 certificates: CA root certificate, a personal certificate and a private key certificate. The host.pem file now contains these in a format which can be cut and pasted with a text editor.
![]() |
Note |
---|---|
OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility. |
Create two blank text files with a text editor, such as Windows Notepad. Give the files the same filename but use the extension .cer for one and .key for the other. For example, host.cer and host.key might be the names.
Start a text editor and open the downloaded .pem file and locate the line that begins:
-----BEGIN RSA PRIVATE KEY-----
Mark and copy into the system clipboard that line and everything under it, up to and including the line:
-----END RSA PRIVATE KEY-----
Now paste the copied text into the .key file and save it.
Back in the .pem file, locate the line that begins:
-----BEGIN CERTIFICATE-----
and copy into the system clipboard that line and everything under it, up to and including:
-----END CERTIFICATE-----
Now paste this copied text into the .cer file and save it.
The saved .key and .cer files are now ready for upload.