Virtual Private Networking
142
To extract the local private key certificate type, enter the following at the Windows
command prompt:
openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out local_private_key.pem
.. where pksc12_file is the PKCS#12 file issued by the CA and local_private_key.pem
is the local private key certificate to be uploaded into the CyberGuard SG appliance.
The application will prompt you to Enter Import Password. Enter the password used to
create the certificate. If none was used simply press enter. The application will also
prompt you to Enter PEM pass phrase which is the pass phrase used to secure the
private key file. Choose a secure pass phrase that is greater than 4 characters long and
this will be the same pass phrase entered when uploading the private key certificate into
the CyberGuard SG appliance. The application will then prompt you to verify the pass
phrase again. Simply type it in again.
The CyberGuard SG appliance also supports Certificate Revocation List (CRL) files. A
CRL is a list of certificates that have been revoked by the CA before they expired. This
may be necessary if the private key certificate has been compromised or if the holder of
the certificate is to be denied the ability to establish a tunnel to the CyberGuard SG
appliance.
Creating certificates
The first thing necessary is to create a Certificate Authority (CA).
1. Create the CA directory:
mkdir rootCA
2. Create the serial number for the first certificate:
echo 01 > rootCA/serial
3. Create an empty CA database file:
linux:
touch rootCA/index.txt
Windows:
type nul > rootCA/index.txt