topic Global Protect with VeriSign Certificates. in General Topics

Global Protect with VeriSign Certificates.

pan123 — Mon, 26 Mar 2012 19:09:15 GMT

Hello,

Can someone please let me know which certificate’s to purchase from VeriSign for Global Protect and if there are any special methods to import them for my portal, gateway and client?

Thanks

Re: Global Protect with VeriSign Certificates.

mikand — Mon, 26 Mar 2012 19:54:16 GMT

Personally I wouldnt put the core of my security into the hands of some foreigner, no matter if that foreigner is spelled "Verisign" or something else (on the other hand you are putting your security into the hands of PAN but still :P).

Setting up your own CA is pretty simply.

There is TinyCA (http://tinyca.sm-zone.net/) and also bootable usb-drives who can act as CA (I forgot its name) unless you wish to do this manually with openssl on a ubuntu box or whatever you prefer.

The main thing is then to protect your CA. Make sure you never connect it to any network and keep it locked up in a safebox when you are not around and it will be a better option than to use stuff from Verisign or any other public CA for your Global Protect needs. For added security make sure to use communication one way only (like dont use usb-drives to export the certs/keys, better to burn it on a blanc cdr or such).

Then if you want to do this for real you can check the PCI compliance guidelines and stuff like that.

Re: Global Protect with VeriSign Certificates.

jseals — Mon, 26 Mar 2012 20:11:56 GMT

Hello,

To answer the certificate import portion, as long as the certificate you get from Verisign is PKCS12 or PEM format, you shouldn't have issues importing it on our gateway. You can do this on the gateway in the WebUI. Device tab -> Certificates -> Import.

For the client, it's different on each OS and each browser, but as long as you import the client certificate in their browser's certificate store, it should be fine.

Thanks,

Jason Seals