Eicon logo
Safepipe and security Networking with Safepipe VPN Clients
Safepipe Centre > HowTo > How to create X.509 certificates
Documentation
Printed guides
HowTo setup guides
Questions and answers
Questions and answers
Reference
Encyclopedia
Other resources
Training
Self-test courses
Download
Software and Release notes
Administration Tool
Support
Link to Eicon Networks Support

Printer-friendly versionHow to create X.509 certificates


Introduction

This guide will take you through a four-step creation procedure, in which two Safepipes are configured to use X.509 certificates for authentication. One Safepipe, referred to as Safepipe 1, will become the Certificate Authority (CA), and the other, referred to as Safepipe 2, an X.509 client.

The procedure will result in the following certificates on the two Safepipes:

  

Safepipe 1
(CA)

Safepipe 1

  

Safepipe 2
(X.509 client)

Safepipe 2

The Safepipe that is acting as the CA generates an authority certificate, which must be distributed to and installed on any other Safepipe on the network using X.509 certificates. Each of those Safepipes generates a unique local certificate which must be signed by the CA. The Safepipe that is acting as the CA must also have its local certificate signed by the CA.


Security considerations

  • Consider the physical location and connection of the two Safepipes during the configuration.

    Obviously, the most secure solution is to establish a temporary, isolated LAN with only the two Safepipes and the administrator's workstation connected. It is, however, also possible to exchange certificates in a secure way between a local and a remote Safepipe. Then the security level is determined by your decision on this issue:

  • Consider a way to transfer the certificates between the two Safepipes.

    You can choose to have two browser windows opened simultaneously - one for each Safepipe management interface - and then copy and paste the certificates between the two interfaces. As Safepipe's management interface uses HTTPS, up to 128 bits encryption is supported in the SSL connection. The procedure described in this guide is based on this solution.

    Alternatively, you can choose to transfer the certificates in plain text, using a text editor like Notepad and distributing the certificates on a floppy disk. This is a somewhat complex and time-consuming process, and there might be security issues regarding the floppy disk. If you choose to transfer certificates in plain text, proceed to the alternative guide How to create X.509 certificates (transferred in plain text).

    Warning: Transferring the certificates via e-mail is not recommended!


Prerequisites

  • Both Safepipes must be installed.

  • You must be able to access the browser-based management interface of the local as well as the remote Safepipe.

  • You must have decided which Safepipe is to be designated as Certificate Authority (CA).


 
Page   1   2   3   4   5

Line
© 2001 Eicon Networks