119
SonicOS 5.8.1 Administrator Guide
CHAPTER 9
Chapter 9: Managing Certificates
System > Certificates
To implement the use of certificates for VPN policies, you must locate a source for a valid CA
certificate from a third party CA service. Once you have a valid CA certificate, you can import
it into the SonicWALL security appliance to validate your Local Certificates. You import the valid
CA certificate into the SonicWALL security appliance using the System > Certificates page.
Once you import the valid CA certificate, you can use it to validate your local certificates.
This chapter contains the following sections:
• “Digital Certificates Overview” section on page 119
• “Certificates and Certificate Requests” section on page 120
• “Certificate Details” section on page 121
• “Importing Certificates” section on page 121
• “Deleting a Certificate” section on page 123
• “Generating a Certificate Signing Request” section on page 123
• “Configuring Simple Certificate Enrollment Protocol” section on page 125
Digital Certificates Overview
A digital certificate is an electronic means to verify identity by a trusted third party known as a
Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with
cryptographic certificates and allows you to define extensions which you can include with your
certificate. SonicWALL has implemented this standard in its third party certificate support.
You can use a certificate signed and verified by a third party CA to use with an IKE (Internet
Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use
digital certificates to authenticate peer devices before setting up SAs. Without digital
certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric
keys. Devices or clients using digital signatures do not require configuration changes every
time a new device or client is added to the network.
A typical certificate consists of two sections: a data section and a signature section. The data
section typically contains information such as the version of X.509 supported by the certificate,
a certificate serial number, information about the user’s public key, the Distinguished Name