2.7.5. Certificate Authorities Administrative Web Page

You need to have a pre-shared key/password/pass phrase or an X.509 certificate before trying to configure a Roadwarrior or Net-to-Net VPN connection. These are methods of authentication, which identify the user trying to access the VPN. They will be required in the VPN configuration stage.

Create and manage X.509 Certificates on this web page.

2.7.5.1. Generating Root and Host Certificates

Figure 2.76. Certificate Authorities window: Initial View

Initial View


To create the IPCop's Root and Host certificates, click on the Generate Root/Host Certificates button.

This opens another screen, shown below, where you need to enter details for the certificates. The fields Organization Name, IPCop's Hostname and Country are mandatory (where IPCop's Hostname is usually already populated with the hostname or IP address of the Red Interface).

Once you have entered all the information, click the Generate Root/Host Certificates button again to generate both X.509 root and host certificates.

Figure 2.77. Generate Root/Host Certificates window

Generate a Certificate


Organization Name The organization name you want used in the certificate. For example, if your VPN is tying together schools in a school district, you may want to use something like Some School District.

IPCop's Hostname This should be the fully qualified domain name of your IPCop's WAN connection. If you have a fixed IP then you can also enter this here. If you are using a dynamic DNS service, use it.

Your E-mail Address - optional.  Your E-mail address, so that folks can get hold of you.

The next three fields: department, city, and state or province are optional. You can leave them out if you wish.

Your Department - optional.  This is the department or suborganization name. Continuing the school district example, this could be My Elementary School.

City - optional.  The city or mailing address for your machine.

State or Province - optional.  The state or province associated with the mailing address.

Country This pull down selection menu contains every ISO recognized country name. Use it to select the country associated with the certificate.

Subject Alt Name - optional.  The subject alternative name extension allows additional identities to be bound to the subject of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a uniform resource identifier (URI).

The SubjectAltName extension is defined in RFC 3280, section 4.2.1.7.

After completing the form, click on the Generate Root/Host Certificates button to generate the certificates.

If desired, you can generate several root and host certificates on a single IPCop, and then export them to PKCS12 format files, encrypted with a password. You can then email them as attachments to your other sites.

Using the Upload PKCS12 file section of this web page, you can upload and decrypt the certificates on a local IPCop machine.

Figure 2.78. Certificate Authorities window: with Certificates

Certificate Management


To upload a CA from a remote machine, give it a name in the CA Name field, which can be anything, but make it something meaningful. If the remote IPCop is CompanyGateway then just name the CA Company, and the connection CompanyNet (for a Net-to-Net connection).

To view, download or delete a Certificate, click on the appropriate icon in the Action column.

Press the Remove all CA and certs button to remove the root CA, the host certificate and all certificate based connections.