Digital Certificate Settings

When your test includes IPSec or EAP-TLS, the local peer can be authenticated as a known or trusted peer by the remote peer through the use of digital certificates. In order to use this method, you must first provision the test server that will execute the test with private key and X.509 certificate files that provide the values used during the test (See topic Managing Certificate Files ) or you can use TDF files (see below). These files can be generated by the CA hosted on the test server or by your CA and imported to the test server.

Digital certificates can be used with IPSec when you select IKE With RSA Signature as the IKE type and IKE V2.

The Certification options are not available when type is IKE with RSA Signature, IKE Version V2, and you select EAP Authorization.

NOTE: The certificate options can be re-enabled by selecting EAP with RSA (even if EAP Authorization is enabled).

Digital certificates can also be used for IKE V2 Multiple Authentication when Authentication Type is RSA Signature.

When both primary and secondary authentications use RSA signature, the secondary RSA configuration will use the certificate values provisioned for the primary RSA signature:

The IKE type is IKE With RSA Signature, IKE Version is V2, and Multiple Authentication Type is RSA Signature. The Multiple Authentication Type will use the same RSA configuration certificate settings provisioned with IKE with RSA Signature.
The IKE type is IKE With RSA Signature, IKE Version is V2, EAP Authorization check box is enabled, and Multiple Authentication Type is RSA Signature.

Digital certificates are always used with EAP-TLS.

This topic describes the settings that control which files and values are used. The topics listed under Related Parameters describe the settings that enable the use of certificates. See Related Topics for instructions on provisioning the files required and preparing the test server to support testing with certificates.

In this topic...
CA Certificate File CA Certificate Number of Entries File Format First Certificate Entry Number of Entries	Private Key File Request X509 Certificate X509 Certificate File X509 Chained Certificates

File Format

Use the drop-down list to specify the format used in the key and certificate files. RSA format is used for files generated by the test server's CA.

Options: EVP or RSA

Default: RSA

Tcl Parameter:

^ Back to Top

Private Key Filename

Installed

Select Installed and use the drop-down list to select the file that will provision the local peers' private key.

Test Data File

You may also select Test Data File to specify the certificate file names. This allows you to upload a certificate you want to use as a Test Data File without causing the test Server to reboot.

NOTE:

Using Test Data Files also allows you to save certificates for to different repositories and provides you with a means to use the same certificates files names from different repositories.
When Certificates are TDF, they are exportable to STE. See topic Exporting Test Suites for additional information.

Options: All Certificate files installed on the test server

Default: N/A

Value: Basic: False (Installed); True (TDF)

Tcl Parameter:

PrivateKeyTestDataFileEn

PrivateKeyTestDataFile

PrivateKeyFile

First Certificate Entry

A subset of the keys contained in the private key file may be used. This parameter uses a zero-based index to specify the starting key for the set.

Range: N/A

Default: 0

Tcl Parameter:

DataFirstCertEntry

Number of Entries

The number of private keys that will be used in the test. If there are more local peers than keys, the keys will be distributed among the peers as evenly as possible.

Range: N/A

Default: 1

Tcl Parameter: BsAsnNumOfEntries

^ Back to Top

X509 Certificate Filename

Installed

Select Installed and use the drop-down list to select the X.509 certificate file.

Test Data File

You may also select Test Data File to specify the certificate file names. This allows you to upload a certificate you want to use as a Test Data File without causing the test Server to reboot.

NOTE:

Using Test Data Files also allows you to save certificates for to different repositories and provides you with a means to use the same certificates files names from different repositories.
When Certificates are TDF, they are exportable to STE. See topic Exporting Test Suites for additional information.

Options: All Certificate files installed on the test server

Default: N/A

Value: Basic: False (Installed); True (TDF)

Tcl Parameter:

X509CertTestDataFileEn

X509CertTestDataFile

X509CertFile

Request X509 Certificate

When you select the Request X509 Certificate checkbox in an IPSec test, a Certificate Request is included in the appropriate IKE message and the peer must include a certificate payload in its response. When the peer's certificate is received, its signature will be validated.

Tcl Parameter: DataX509Enabler

X509 Chained Certificates

The X509 Chained Certificates checkbox is available only for IKE V2 and when you select Request X509 Certificate checkbox.

Value: 0 (disabled); 1 (enabled)

Tcl Parameter: DataCertChainEn

When you enable X509 Chain Certificates:

Select the MN Certificate from the X509 Certificate Filename dropdown list.
Select the required chained certificate from the CA Certificate File dropdown list. The chained certificates include CA and Intermediate CA certificates only.

NOTES:

Make sure that you create the Chain CA Certificates and store them in the correct directory on the test server .
Only one CA Chained Certificate is supported, while multiple X509 Certificates are supported. Multiple X509 Certificates can be signed by one CA Certificate Chain.
When Chain certificates is enabled, the CERT_PAYLOAD, will contain the MN X509 Certificate and the CA certificate Chain (the MN certificate is first). Please note that Landslide doesn't validate the CA or the CA Chain certificate.
As these certificates can be very large in size (over 1K), the IKE AUTH messages with chained certificates will be fragmented. The maximum of 4 CAs are supported in a chain.
Chain CA certificates are supported only on the first round of IKE Authentication and is not supported on second round of a Multiple AUTH configuration.

^ Back to Top

CA Certificate File

The CA Certificate File and the CA Certificate Number of Entries are available only for IKE V2 and when you select Request X509 Certificate checkbox and in the TLS tab in GM, MW, ISC interfaces.

When you test with IKEv2, a list of the public keys of trusted Certificate Authorities is included in the Certificate Authority field of the Certificate Request payload. Use the drop-down list to select a CA file. One CA file can contain up to 32 entries.

Installed

Select Installed and use the drop-down list to select the CA Certificate File.

Test Data File

You may also select Test Data File to specify the certificate file names. This allows you to upload a certificate you want to use as a Test Data File without causing the test Server to reboot.

NOTE:

Using Test Data Files also allows you to save certificates for to different repositories and provides you with a means to use the same certificates files names from different repositories.
When Certificates are TDF, they are exportable to STE. See topic Exporting Test Suites for additional information.

Options: All Certificate files installed on the test server

Default: N/A

Value: Basic; False (Installed); True (TDF)

Tcl Parameter:

CaCertTestDataFileEn

CaCertTestDataFile

CaCertFile

CA Certificate Number of Entries

The number of hashed CA public keys that will be included in every Certificate Request payload.

Range: 1 — 32

Default: 1

Tcl Parameter: DataNumOfEntries

^ Back to Top