X. 509 Certificates

1
X. 509 Certificates

• By Darren Critchley

2
What are X.509 Certifiates?

• They are a method for authenticating an end user
  of a VPN
• They can be used for other things, but we will
  focus on VPN usage
• They are very similar to the SSL Certificates
  generated for websites
• They are generated on the NetSentron and Signed
  by the NetSentron
• The PREFFERED method of connection VPN's much
  more secure
• Works for Net to Net and RoadWarrior

3
Configure NetSentron to be a Certificate Authority

• Go to VPN page (We will assume that the VPN setup
  is already configured)
• Click on Generate Root/Host Certificates
• Enter an Organization Name
• Enter the NetSentron's hostname it is
  recommended to put in a fully qualified domain
  name here (Hostname.Domainname.com)
• The next four items are optional, but we
  recommend at least putting in a City and Province
• Select your Country
• Click Generate Root/Host Certificates (may take
  time on slower machines)
• You should now be back at the VPN page and there
  should be Certificates showing in the Certificate
  Authorities section.

4
Create a new VPN Connection for x509 Roadwarrior

• Follow the directions from the previous section
  for XP RoadWarrior, but do not choose Pre-Shared
  Key
• Select Generate a certificate
• Enter a user name or hostname this identifies
  the certificate
• The rest of the options marked with a blue dot
  are optional and some have already been filled in
  for you
• Enter a password and confirm it. Remember or
  write down this password, you will need it later
  to import the certificate into another machine
• Click Save
• After a moments you will be returned to the VPN
  page, you should see your new connection. It will
  have two new icons associated with it.
• The 'i' is for seeing information about the
  certificate
• the Blue Floppy Disk is for exporting the
  certificate

5
Roadwarrior using x509 and the Linsys VPN Client

• Create a VPN connection for Roadwarrior and
  generate a certificate
• Export the certificate
• Click on the Blue Floppy Disk icon for the
  certificate you wish to export (Note IE Users may
  have to right click, save as)
• The certificate should be exported as a .p12 file
  type
• Copy the certificate to your XP Roadwarrior
  machine
• Start the Linsys VPN client and configure a VPN
  connection as explained in the previous sections
  with the exception of the Authentication Method,
  choose Certificate instead of PreShared Key
• Click on the icon next to the word Certificate

6

• Click on My Certificates
• Click on the Green Plus sign
• Click on the Yellow folder and navigate to where
  you put the exported certificate from the
  NetSentron
• Enter the password that you entered on the
  NetSentron
• Click Exportable (checked)
• Click the Green Arrow, a dialog in a foreign
  language will pop up, click OK
• Your imported certificate should now be showing
  in the list, double click on it
• You will now be returned to the main Linsys
  screen, you should see some entries in the text
  area for the certificate along the lines of
  CCA, O
• Save your connection and test it.

7
NetSentron to NetSentron

• Enable remote access to the GUI on the remote
  NetSentron
• Generate Host/Root Certificates on both the local
  and the Remote NetSentrons
• On each NetSentron we need to export the ROOT and
  HOST Certificates
• To export, go to the VPN page
• Scroll down to Certificate Authorities
• Click on the Blue Floppy Disk in the Root
  Certificate (Note IE users may have to Right
  Click and Save As)
• Give the exported Root Certificate a meaningful
  name, do not take the default cacert.pem (ie
  HeadOffice_cacert.pem)
• Click on the Blue Floppy Disk in the Host
  Certificate (Note IE users may have to Right
  Click and Save As)
• Gice the exported Host Certificate a meaningful
  name, do not take the default hostcert.pem (ie
  HeadOffice_hostcert.pem)

8

• Once you have the Host and Root Certificates for
  each NetSentron exported, we can then import them
  into the respective NetSentrons
• Go to the VPN page and scroll down to Certificate
  Authorities
• Type a name into the CA Name text box that
  describes the remote NetSentron.
• Click Browse to find the certificates that we
  exported previously and select the Root
  certificate of the remote NetSentron (the one
  that contains cacert.pem)
• Click Upload CA Certificate it will take a few
  seconds, but when it is done, you should see a
  new line in the Certificate Authorities section.
• Repeat this procedure on the Remote NetSentron
• Configure a Net to Net VPN
• Configuring a net to net x509 VPN is almost
  identical to creating a net to net Pre-Shared Key
  VPN except we don't enter a Pre-Shared Key
• Under the Authentication section, select Upload a
  certificate
• Click Browse to find the certificates that we
  exported previously and select the Host
  certificate of the remote NetSentron (the one
  that contains hostcert.pem)
• Click Save
• Repeat the procedure on the Remote NetSentron