User manual
Virtual Private Networking
221
When the application prompts you to Enter Import Password, enter the password used
to create the certificate. If none was used simply press enter.
To extract the local private key certificate type, enter the following at the Windows
command prompt:
openssl pkcs12 -nomacver -nocerts -in pkcs12_file -out
local_private_key.pem
.. where pksc12_file is the PKCS12 file issued by the CA and local_private_key.pem is
the local private key certificate to be uploaded into the SG unit.
When the application prompts you to Enter Import Password, enter the password used
to create the certificate. If none was used simply press enter. When the application
prompts you to Enter PEM pass phrase, choose a secure pass phrase that is greater
than 4 characters long. This is the pass phrase used to secure the private key file, and is
the same pass phrase you enter when uploading the private key certificate into the SG
unit. Verify the pass phrase by typing it in again.
The SG unit also supports Certificate Revocation List (CRL) files. A CRL is a list of
certificates that have been revoked by the CA before they have expired. This may be
necessary if the private key certificate has been compromised or if the holder of the
certificate is to be denied the ability to establish a tunnel to the SG unit.
Creating certificates
There are two steps to create self-signed certificates. First, create a single CA certificate,
second, create one or more local certificate pairs and sign them with the CA certificate.
Create a CA certificate
Create the CA directory:
mkdir rootCA
Create the serial number for the first certificate:
echo 01 > rootCA/serial
Create an empty CA database file under Windows:
type nul > rootCA/index.txt