21.4 Configuring Certificate Settings

Access Manager components and agents can access the keystore to retrieve certificates, keys, and trusted roots as needed.

Before you proceed with this section, make sure you have already created a certificate. For more information on creating certificates, see Section V, Security and Certificate Management.

21.4.1 Adding Certificates to the SSL VPN Keystore

  1. In the Administration Console, select Access Manager > SSL VPN > Edit.

  2. Select SSL VPN Certificates from the Security settings section. The Certificates for SSL VPN page is displayed.

    Adding SSL VPN certificates
  3. Click STunnel. The Keystore: SSL VPN Secure Tunnel page is displayed.

    Adding certificate to SSL VPN STunnel

    Certificates in the SSL VPN STunnel are used by SSL VPN services for encryption. This page contains the following information:

    • Keystore name: Specifies the name of the keystore to which the certificate belongs.

    • Keystore type: Specifies the type of keystore. It can be Java, PEM, or PKCS12

    • Device: Specifies the IP address of the SSL VPN device.

    NOTE:Every imported SSL VPN device has a default certificate.

  4. To replace the default certificate, click Replace. The Replace dialog box is displayed.

    Replacing SSL VPN certificate

    Fill in the following fields:

    • Certificates: Click the Select Certificate icon to browse and select the certificate that you want to associate with SSL VPN.

    • Alias(es): You can provide an alternate name for the certificate you are importing.

  5. Click OK to save changes.

  6. To save your modifications, click OK, then click Update on the Configuration page.

21.4.2 Adding Trusted Roots for SSL VPN

A trust store contains certificates from a certificate authority (CA). These certificates are self-signed and are recognized as representing a CA that is trusted. When creating a trust store, you can assign trust stores to devices and add trusted root certificates to the new trust stores.

NOTE:Trusted roots need not be configured for SSL VPN.