SSL security

Password-Protected Private Keys

Private keys that are generated with the Certificate Signing Request are stored in an encrypted and password-protected format on the Access Gateway. When creating the Certificate Signing Request, you are asked to provide a password for the private key. The password is used to protect the private key from tampering and it is also required when restoring a saved configuration to the Access Gateway. Passwords are used whether the private key is encrypted or unencrypted. When you upgrade to Version 4.5 and save the configuration file, it cannot be used on earlier versions of the Access Gateway. If you attempt to upload the Version 4.5 configuration file to an earlier version, the Access Gateway becomes inoperable.

You can also import a password-protected certificate and private key pairs in the PKCS#12 format. This allows encrypted and password-protected private keys and certificates created on the Access Gateway to be imported.
Caution If you save the configuration on Version 4.5 of the Access Gateway, do not install it on an earlier version of the appliance. Because the private key is encrypted in Version 4.5, older versions cannot decrypt it and the appliance becomes inoperable.

Creating a Certificate Signing Request

The CSR is generated using the Certificate Request Generator in the Administration Tool.

    1. Click the Access Gateway Cluster tab and open the window for the appliance.

    2. On the Certificate Signing Request tab, type the required information in the fields and then click Generate Request.
    Note In the field Access Gateway FQDN, type the same FQDN that is on the General Networking tab. In Password, type the password for the private key.

    3. A .csr file is created. Save the certificate request on the local computer.

    4. Email the certificate to to Digi-Sign or paste it into online enrolment form. Digi-Sign returns a signed certificate to you by email. When you receive the signed certificate, install it on the Access Gateway.

Note: When you save the Access Gateway configuration, any certificates that are already installed are included in the backup.

After you create the certificate request and send it to the Certificate Authority (Digi-Sign), refrain from performing the following tasks on the Access Gateway until you receive the signed certificate back and install it on the appliance:

    - Generating another Certificate Signing Request

    - Uploading a saved configuration file

    - Publishing configuration settings from another appliance in the cluster