Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alex_Wu
Contributor

install a Certificate for IPSec VPN

Hi All,

 

is it possible to install a public certificate for IPSec VPN without creating TrustCA or CSR?

Supposed that I already have a public certificate vpn.domain.com, I just want install it...

 

1.png

0 Kudos
9 Replies
MartinTzvetanov
Collaborator

Yes, use Add to import it.
0 Kudos
Alex_Wu
Contributor

finally, you have to generate CSR if you import it...

i now have a certificate, i just want o replace the default certificate

 

0 Kudos
Yuber_Sierra_av
Participant

Hello,

I'm worndering the same as @Alex_Wu, in my case I'm replacing old Cluster to new gateway models, so, I need to import the IPSec VPN Certificate which resides in the SMS, but there is no such option to Import the certificate to the new Cluster. If you click "Add" it takes you to generate the CSR, but I already have the signed certificate, you need to import it.

Thank you.

0 Kudos
Yuber_Sierra_av
Participant

Hello,

I'm worndering the same as @Alex_Wu, in my case I'm replacing old Cluster to new gateway models, so, I need to import the IPSec VPN Certificate which resides in the SMS, but there is no such option to Import the certificate to the new Cluster. If you click "Add" it takes you to generate the CSR, but I already have the signed certificate, I just need to import it, ¿is there a way do do this?

Thank you.

0 Kudos
MartinTzvetanov
Collaborator

If you are about to replace the cluster members in an existing cluster, you will only remove the old device from the cluster and initiate SIC with the new member, the policy for the cluster stays  the same and the same certificate will be installed on the new device. If you create a new cluster with the new devices you must have the certificate to import it to the new cluster.

0 Kudos
Yuber_Sierra_av
Participant

I have a new CLuster because new models (6600) vs old models (4800) are different in hardware and software, also 

Indeed I have the certificate which I can export form the SMS, but there is no such option to Import the certificate to the new Cluster. If you click "Add" it takes you to generate the CSR, but I already have the signed certificate.

0 Kudos
PhoneBoy
Admin
Admin

If both the old and new gateways are managed by the same management, there is no need to do this as new certificates will be generated and automatically trusted.
Any third party will validate the certificate is valid through the certificate authority.
So I’m not sure why this is necessary.

0 Kudos
Yuber_Sierra_av
Participant

Hello and thank you for your support.

Yes, both are managed by the same management, but the certificate is from an external CA (Digicert). Let me show you some images for better explanation:

This is the current CLuster which I need to replace, it has the certificate signed by Digicert CA.

current_.png

Now, this is the new Cluster which I'm preparing for migration, so, I need to ensure it has the same certificate as current Cluster. I know I can export the certificate from the SMS with export_p12 command, but there is not option to import such certificate in the Cluster properties:

new_.png

If I click "Add" this takes me to generate the CSR, but this process was made in the past whe creating the certificate for the current cluster.

csr.png

So, my question  is whether there is a method to import the certificate directly, or need to make the signing process again.

 

Thank you in advance for your help.

0 Kudos
PhoneBoy
Admin
Admin

Thanks for the screenshots, this helps a lot.
In this case, you must generate a new certificate via a Certificate Signing Request as we do not support importing private keys for VPN usage.
I suspect we don't allow this to maintain the security of the private key.

0 Kudos