< Home

How Can I Clear the Alarm "Your certificate of calibration is illegal, continue to log in?"

Symptom

When a mobile user uses the SecoClient to log in to the FW over an SSL VPN tunnel, the system displays the following alarm information:



The cause for the alarm is that the SecoClient does not have the CA certificate for FW identity authentication. The methods for clearing the alarm is as follows:
  • Click the Change Setting, Deselect Block links to Untrust Servers.

    If the authenticity of the FW's identity can be identified, the method can be used.

  • Issue certificates to the SecoClient and FW.

    Produce two certificates and place the device certificate on the FW and the CA certificate on the host where the SecoClient resides. If the enterprise has its own certificate system, use the enterprise's certificate system to produce certificates. If the enterprise does not have any certificate system, use the XCA software to produce certificates.

    When the SecoClient accesses the FW over an SSL VPN tunnel, the FW sends a device certificate to the SecoClient. As long as the CA certificate of the SecoClient can be used to verify the device certificate of the FW, the system does not generate the alarm.

    If the authenticity of the FW's identity cannot be identified, the method can be used.

Windows 7 is used as an example to describe how to produce certificates with the XCA software to clear the alarm.

Procedure

  1. Download the XCA software from the website and install it.
  2. Open the XCA software. In File, create a database and set a database name and a password for logging in to the database. This database is used to store key pairs and certificates.
  3. On the Private Keys tab, generate a public and private key pair for the CA certificate.



  4. On the Certificates tab, generate a CA certificate.





  5. Set a validity period for the CA certificate.



  6. Generate a public and private key pair for the device certificate of the FW.



  7. On the Certificates tab, generate a device certificate for the FW.

    When generating the device certificate, select CA for Use this Certificate for signing on the Source tab, indicating that the device certificate can be verified by the CA certificate. In this way, when establishing an SSL VPN tunnel, the SecoClient can use the CA certificate to verify the validity of the device certificate of the FW. Internal name and commonName are set to the IP address of the VPN gateway that provides VPN services. In this section, Internal name and commonName are set to 1.1.1.1.





  8. Exports the CA certificate into a PEM file and device certificate into a PKCS #12 file.





  9. Place the CA certificate on the PC where the SecoClient resides and install it.
    1. Double-click the CA certificate file. In the window that is displayed, click Install Certificate.

    2. Click Next as prompted until the certificate installation is complete.

      During installation, use the default values in the dialog box.

  10. Load the certificate on the FW.
    1. Log in to the FW and choose Network > SSL VPN > SSL VPN.
    2. Click of the virtual gateway. Select Update Local Certificate from the Certificate Authentication drop-down list.

    3. Import the device certificate.

      The password is the one set during device certificate export.



    4. Return to the configuration UI of the virtual gateway and click OK.
  11. Re-log in to the FW from the SecoClient.

    If the alarm is cleared, the certificate Verifying the Configuration succeeds.

Parent Topic: Frequently Asked Configuration Questions
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic