Importing a Server Certificate to the FW
This section describes certificate-related functions and configurations about SSL-encrypted traffic detection in the server protection scenario.
As a man-in-the-middle, the FW needs to use a certificate to establish a trust relationship between a server and a client. After verifying the server certificate, the FW directly blocks traffic based on the administrator's configuration if the certificate expires or is issued by an untrusted CA.
In the server protection scenario, the FW sends a server certificate to the client and decrypts SSL-encrypted traffic sent from the client using the private key of the server certificate to obtain the symmetric key. Therefore, you need to import the server certificate and private key to the FW, and specify the server certificate as the internal server certificate.
A server certificate is imported by a server administrator. It can be a locally generated certificate, a certificate purchased from an external authoritative organization, or a certificate generated by a self-built server for issuing certificates.
Configuring a Certificate for Server Protection Using the Web UI
- Import the server certificate and private key.
Choose Object > Certificates > Local Certificates. Click Upload to import the server certificate and private key.
- Specify the imported server certificate as the internal server certificate.
- Choose Object > Certificates > SSL Decryption Certificate. Click the Internal Server Certificate tab.
- Click Add. Add the imported server certificate in Available to Selected.
Configuring a Certificate for Server Protection Using the CLI
- Save the uploaded server certificate and private key in the hardware storage medium of the FW.
For details about how to upload certificate files on the FW, see Configuring the FW as an FTP Server.
The uploaded certificate and private key must be saved to the specified directory as required. The certificate and private key of the root system are stored in the hda1:/pki/public/ directory. The certificate and private key of a virtual system are stored in the hda1:/pki/vsys/ directory (vsys is a virtual system name). When the certificate and private key that are not saved as required are imported to the device memory, the system displays a message, indicating that the certificate does not exist.
- Save the uploaded server certificate and private key to the FW memory.
The certificate and private key can be stored in either one certificate file that contains the private key or two separate files. The method for importing the certificate and private key varies according to whether the certificate and private key are stored in one or two files.
The certificate file contains the private key:
<sysname> system-view [sysname] pki import rsa-key-pair key-1 pem aaa.pem exportable password Test!123456
The certificate and private key are stored in separate files:
<sysname> system-view [sysname] pki realm abc [sysname-pki-realm-abc] quit [sysname] pki import-certificate local realm abc pem filename ca.cer [sysname] pki import rsa-key-pair key-1 pem aaa.pem exportable password Test!123456
Although the certificate and private key are stored in two separate files, the system automatically associates the two files when the certificate and private key are imported to the memory. You can run the pki match-rsa-keycertificate-filename file-name command to view the mappings between certificates and keys.
The pki import-certificate command imports only the certificate file to the memory. Even through the certificate file contains a private key, the private key is not imported to the memory. The pki import rsa-key-pair command imports only the private key file. However, if the private key file contains a certificate, the certificate will be imported to the memory together with the private key. Therefore, you need to prevent errors caused by command misuse when importing certificates in different formats.
- Specify the imported server certificate as the internal server certificate.
<sysname> system-view [sysname] app-proxy server certificate filename ca.cer
You can run the display pki certificate local command to check the name of the certificate file imported to the memory.