Importing a Certificate to the FW

This section describes how to import a certificate to the FW in the client protection scenario.

Context

When establishing an SSL connection with the server, the FW uses a trusted CA certificate to verify the credibility of the server certificate. If no trusted CA certificate is available, the FW considers that the server certificate is untrusted. Then the FW permits or blocks the SSL connection according to actions configured in the Untrusted Certificate. If a trusted CA certificate is available on the FW, the FW considers that the server certificate is trusted, and establishes an SSL connection with the server.

In the client protection scenario configured with SSL-encrypted traffic detection, the SSL decryption certificate and the server certificate need to be used to re-issue a new certificate to the client. The SSL decryption certificate can be a CA certificate manually created on the FW or imported from an external authority. If an enterprise has a server that can issue CA certificates, you can import the CA certificate issued by the CA server or a CA to the FW as the SSL decryption certificate. If you do not want to import the CA certificate, use the SSL decryption certificate manually created on the FW. Generally, the imported SSL decryption certificate or the CA that issues the SSL decryption certificate is trusted by the client. In this way, the FW uses a temporary certificate issued by the SSL decryption certificate to pass the verification on the client. Then the SSL handshake between the FW and the client is successfully completed.

Regardless of whether the SSL decryption certificate is manually created on the FW or imported from the external authority, you need to import it to the client and enable the client to trust it. Otherwise, after the FW is enabled with SSL decryption, the client displays a warning indicating that the server certificate is not issued by a trusted organization when you access websites based on HTTPS using a browser. Some applications may even directly interrupt the connections without any warning, affecting normal usage.

Importing a Certificate to the FW Using the Web UI

Configure a server CA certificate. By default, over 100 common server CA certificates have been preset on the FW, which can be used to verify most server certificates. For server certificates that cannot be verified with the preset CA certificates, you need to import CA certificates that can verify the server identities to the FW and then specify these certificates as server CA certificates.
1. Import the server CA certificate.
  Choose Object > Certificates > CA Certificates. Click Upload to import the server certificate to the device.
2. Specify the imported server certificate as the server CA certificate.
3. Choose Object > Certificates > SSL Decryption Certificate, and click the Server CA Certificate tab.
4. Click Add, and add the imported server certificate in Available to Selected. Click OK.

Configure an SSL decryption certificate.

The FW supports a manually created SSL decryption certificate or imports an external CA certificate as the SSL decryption certificate.

Import an external CA certificate:

Choose Object > Certificates > SSL Decryption Certificate, and click the SSL Decryption Certificate tab.

Click Upload to import the SSL encryption certificate.

The following table describes parameters related to certificate import.

Parameter	Description
Certificate Format	PKCS12 Certificate/PEM Certificate with Key: It applies to a certificate that is suffixed with p12, pem, or pfx and includes key information. To import the certificate, you must specify a certificate password. You can obtain the certificate password from the CA. Certificate/PEM Certificate Without Key: It applies to a certificate that is suffixed with cer, crt, or der and includes an independent key file. To import the certificate, you must specify a certificate password and a key file (with suffix pem). You can obtain the key password from the CA
Certificate File	Certificate file issued by the CA
Key File	Key file issued by the CA
Password	Password of a key file

To manually create an SSL decryption certificate, click Add and set the following parameters. Generally, you need to configure the certificate name and public name. Other parameters can be configured as required.

Parameter	Description
Certificate Name	Name of the SSL decryption certificate
Common Name	Common name of the SSL decryption certificate. If this parameter is not configured, the certificate name is used.
IP Address	IP address of the certificate
Key Type	Type of the key pair used for generating the SSL decryption certificate on the FW
Key Length	A shorter key improves the encryption and decryption speed but is less secure. It is recommended that the key length be greater than 1024 bits.

Download and install the SSL decryption certificate.

In SSL Decryption Certificate List, click Download in the column where the trusted certificate resides, and save the SSL decryption certificate to the local disk.

Parameter	Description
File Format	According to actual requirements, select Export files in PEM format, Export files in CER format or Export files in PKCS12 format.
Password	If a certificate contains a key, you must enter a password for security.
Confirm Password	Re-enter the new password.

Send the SSL decryption certificate to the user by emails or place it on the server for the user to download.
Install and trust the SSL decryption certificate in the browser on the client.

The Firefox browser has an independent certificate detection mechanism. If an intranet PC uses the Firefox browser, you need to import the certificate to the Firefox browser, even if the certificate has been imported to other browsers (such as Internet Explorer browser) in the same operating system.

Methods for installing certificates vary depending on browsers. This section uses Internet Explorer 8 browser as an example. For details about SSL decryption certification installation on a client, see Appendix: Installing SSL Decryption Certificates.

Importing a Certificate to the FW Using the CLI

Upload a server CA certificate.
For details about how to upload certificate files on the FW, see Configuring the FW as an FTP Server.

The uploaded certificate and private key must be saved to the specified directory as required. The certificate and private key of the root system are stored in the hda1:/pki/public/ directory. The certificate and private key of a virtual system are stored in the hda1:/pki/vsys/ directory (vsys is a virtual system name). When the certificate and private key that are not saved as required are imported to the device memory, the system displays a message, indicating that the certificate does not exist.

Import the uploaded server CA certificate to the memory of the FW, and specify the imported server CA certificate as a trusted server CA certificate.

<sysname> system-view 
[sysname] pki realm abc 
[sysname-pki-realm-abc] quit 
[sysname] pki import-certificate ca realm abc pem filename ca.cer 
[sysname] app-proxy ca trust filename ca.cer

Configure the SSL decryption certificate.
You can manually generate the SSL decryption certificate or import an external CA certificate to the FW. This section describes how to manually generate the SSL decryption certificate on the FW.

Create an RSA key pair of the SSL decryption certificate.
```
<sysname> system-view
[sysname] pki rsa built-in-ca rsakey create exportable
```
Create a PKI entity.
```
<sysname> system-view 
[sysname] pki entity entity1 
[sysname-pki-entity-entity1] common-name test
```
You can also configure the IP address and email address of the PKI entity, which are not listed here. Generate an SSL decryption certificate and import it to the memory.

Generate an SSL decryption certificate and import it to the memory.

<sysname> system-view 
[sysname] pki generate built-in-ca certificate rsa-key-pair rsakey entity entity1 
[sysname] pki import-certificate built-in-ca filename key1_builtinca.cer

Mark one decryption certificate trusted and the other untrusted.
```
<sysname> system-view 
[sysname] app-proxy built-in-ca trust filename key1_builtinca.cer
```
When performing SSL handshake with a true server as a proxy client, the FW checks whether the server certificate is issued by a trusted CA.

If not, the FW issues a temporary certificate to the client using the SSL decryption certificate marked as untrusted. In this way, a security warning is displayed on the client, and a user can continue the access only after releasing the security warning.
If yes, the FW issues a temporary certificate to the client using the SSL decryption certificate marked as trusted. You need to export the trusted SSL encryption certificate, and install and trust the certificate on the intranet client. For details, see Downloading and Installing the SSL Decryption Certificate.