Certificate Properties¶

Certificate authority and certificate entries have several properties in common. The common properties of both types are covered here.

Keys¶

The public and private keys of the certificate are used for cryptographic operations.

Key Type

Certificate key type can be either RSA or ECDSA (Elliptic Curve Digital Signature Algorithm).

RSA

RSA keys are more common and well-supported than ECDSA, as well as having some performance benefits.

Key Length

When using RSA keys, the security is proportional to the key size. Larger keys are more secure, but they also take longer to generate and are slower to use. RSA performance decreases rapidly as the key size increases.

The best practice is to not use keys smaller than 2048 bits where possible. Legacy and embedded systems may not support larger keys.

ECDSA

ECDSA is a newer method, and is not as widely adopted. Its main advantage is that is can use smaller keys to provide equivalent levels of security to RSA. ECDSA is slower at verifying signatures than RSA, but scales better.

Curve Name: There are a variety of ECDSA curves available, but only a few have been confirmed to work with various services on the firewall. The services which support each curve are noted in the list. Pick the curve based on which services will use this certificate authority or certificate.

Digest Algorithm¶

Digest Algorithms, also known as Message Digest Algorithms and Hash Algorithms, are used to create a fixed-length hash of content for signing.

The larger the hash, the stronger it is and the less likely it is to be susceptible to collisions which compromise the integrity of the hash. The current best practice is to use a minimum of SHA-256.

Warning

Though the GUI still contains support for SHA-1, it is considered weak and should not be used. Rare exceptions can be made for legacy systems which do not support stronger hashes.

Lifetime¶

The Lifetime of a certificate authority or certificate determines the length, in days, for which the certificate is valid. Shorter lifetimes are more secure, but require more work as the certificates must be renewed or replaced more frequently.

Distinguished Name¶

The entity to which a certificate authority or certificate belongs, also known as the Subject, is identified by the unique components of the certificate. The primary component for this purpose is the Distinguished Name (DN). These are typically filled in with an organization’s information, or in the case of an individual, personal information. This information is mostly cosmetic, and used to verify the accuracy of the CA, and to distinguish one CA from another.

A DN is composed of several fields which contain information about the subject.

Only the Common Name is required, the other fields may be left blank.

Warning

A DN with less unique information has the potential to be misidentified later when comparing certificate subjects. Always fill in enough information to uniquely identify the subject.

Common Name: A short name, such as a username or hostname. Do not use spaces or punctuation, other than that which is typically found in a hostname.

Note

This name is not used directly for certificate validation on modern systems, which look at Subject Alternative Name values instead.
Country Code: The two letter ISO country code for the certificate subject location.

Note

The ISO country code is not the same as a the hostname TLD code for a country.
State or Province: The geographical state or province name for the certificate subject location. This value should be spelled out, not using an abbreviation or code.
City: The city for the certificate subject location.
Organization: The name of the organization to which the subject belongs. For example, a company name, government agency name, or similar.
Organizational Unit: A division or department inside the organization, if any. For example, “IT Department” or “Accounting”.

Note

When creating a certificate, the GUI populates most of these fields with the values from the certificate authority chosen for signing. The contents of the fields may be changed before performing the signing operation.

Subject Alternative Name¶

The Subject Alternative Name (SAN) list is only present on certificates. It contains information used to validate the identity of the certificate. For example, when connecting to a device on the network, a system may compare the hostname or IP address to which it connected with values in the certificate SAN list. This way, it can be sure it is communicating with the intended host and not an impostor.

Note

The Common Name value from a certificate is automatically added to the SAN list internally, as its inclusion is a requirement of current standards.

The following types of SAN entries can be added to a certificate:

FQDN or Hostname: A fully qualified domain name (e.g. host.domain.tld) or a hostname (host). In most cases this hostname would also exist in DNS. In the case of user certificates, this could also be a username.
IP Address: An IP address (e.g. x.x.x.x), typically an address found on a network device using this certificate. Necessary for clients to properly validate the certificate when connecting by IP address instead of by hostname.
URI: A Uniform Resource Identifier for the certificate subject. In practice, only used as an alternate way to determine the hostname when communicating with servers. It does not restrict certificate validity to specific URIs on a server.
E-mail Address: An e-mail address for the certificate subject.

Certificate Properties in Lists¶

When viewing the lists of CA and certificate entries, the properties of the entry are available in the Distinguished Name column. The DN is printed there and additional detailed information is available from the fa-info icon.

Underneath that information, the GUI prints the start and end dates for the validity of the entry. The difference between the start and end date is the Lifetime. When an entry is nearing expiration, the GUI highlights the end date in yellow. When an entry is expired, it is red. The system also generates notifications for expiring certificates.