Certificate Properties¶
Certificate authority and certificate entries have several properties in common. The common properties of both types are covered here.
Keys¶
The public and private keys of the certificate are used for cryptographic operations.
- Key Type:
Certificate key type can be either RSA or ECDSA (Elliptic Curve Digital Signature Algorithm).
- RSA:
RSA keys are more common and well-supported than ECDSA, as well as having some performance benefits.
- Key Length:
When using RSA keys, the security is proportional to the key size. Larger keys are more secure, but they also take longer to generate and are slower to use. RSA performance decreases rapidly as the key size increases.
The best practice is to not use keys smaller than
2048
bits where possible. Legacy and embedded systems may not support larger keys.
- ECDSA:
ECDSA is a newer method, and is not as widely adopted. Its main advantage is that is can use smaller keys to provide equivalent levels of security to RSA. ECDSA is slower at verifying signatures than RSA, but scales better.
- Curve Name:
There are a variety of ECDSA curves available, but only a few have been confirmed to work with various services on the firewall. The services which support each curve are noted in the list. Pick the curve based on which services will use this certificate authority or certificate.
Digest Algorithm¶
Digest Algorithms, also known as Message Digest Algorithms and Hash Algorithms, are used to create a fixed-length hash of content for signing.
The larger the hash, the stronger it is and the less likely it is to be susceptible to collisions which compromise the integrity of the hash. The current best practice is to use a minimum of SHA-256.
Warning
Though the GUI still contains support for SHA-1, it is considered weak and should not be used. Rare exceptions can be made for legacy systems which do not support stronger hashes.
Lifetime¶
The Lifetime of a certificate authority or certificate determines the length, in days, for which the certificate is valid. Shorter lifetimes are more secure, but require more work as the certificates must be renewed or replaced more frequently.
See also
For certificate authorities, a longer lifetime such as 3650
days (10 years)
is acceptable.
Certificates for users typically also have a long lifetime, but specific
values depend largely on the needs of an organization. The GUI defaults to
3650
days for User Certificates, but it a better practice is to use a lower
value when practical.
Server certificates have stricter requirements for their lifetime. The current
accepted maximum lifetime for server certificates is 398
days. Most browsers
and other software will no longer accept new server certificates with longer
lifetimes.
Note
Another special case is server certificates obtained using ACME from
Let’s Encrypt. These only have a lifetime of 90
days, but since they are automatically replaced well before they expire,
there is little extra administrative overhead once the initial setup is
complete.
Distinguished Name¶
The entity to which a certificate authority or certificate belongs, also known as the Subject, is identified by the unique components of the certificate. The primary component for this purpose is the Distinguished Name (DN). These are typically filled in with an organization’s information, or in the case of an individual, personal information. This information is mostly cosmetic, and used to verify the accuracy of the CA, and to distinguish one CA from another.
A DN is composed of several fields which contain information about the subject.
Only the Common Name is required, the other fields may be left blank.
Warning
A DN with less unique information has the potential to be misidentified later when comparing certificate subjects. Always fill in enough information to uniquely identify the subject.
- Common Name:
A short name, such as a username or hostname. Do not use spaces or punctuation, other than that which is typically found in a hostname.
Note
This name is not used directly for certificate validation on modern systems, which look at Subject Alternative Name values instead.
- Country Code:
The two letter ISO country code for the certificate subject location.
Note
The ISO country code is not the same as a the hostname TLD code for a country.
- State or Province:
The geographical state or province name for the certificate subject location. This value should be spelled out, not using an abbreviation or code.
- City:
The city for the certificate subject location.
- Organization:
The name of the organization to which the subject belongs. For example, a company name, government agency name, or similar.
- Organizational Unit:
A division or department inside the organization, if any. For example, “IT Department” or “Accounting”.
Note
When creating a certificate, the GUI populates most of these fields with the values from the certificate authority chosen for signing. The contents of the fields may be changed before performing the signing operation.
Subject Alternative Name¶
The Subject Alternative Name (SAN) list is only present on certificates. It contains information used to validate the identity of the certificate. For example, when connecting to a device on the network, a system may compare the hostname or IP address to which it connected with values in the certificate SAN list. This way, it can be sure it is communicating with the intended host and not an impostor.
Note
The Common Name value from a certificate is automatically added to the SAN list internally, as its inclusion is a requirement of current standards.
The following types of SAN entries can be added to a certificate:
- FQDN or Hostname:
A fully qualified domain name (e.g.
host.domain.tld
) or a hostname (host
). In most cases this hostname would also exist in DNS. In the case of user certificates, this could also be a username.- IP Address:
An IP address (e.g.
x.x.x.x
), typically an address found on a network device using this certificate. Necessary for clients to properly validate the certificate when connecting by IP address instead of by hostname.- URI:
A Uniform Resource Identifier for the certificate subject. In practice, only used as an alternate way to determine the hostname when communicating with servers. It does not restrict certificate validity to specific URIs on a server.
- E-mail Address:
An e-mail address for the certificate subject.
Certificate Properties in Lists¶
When viewing the lists of CA and certificate entries, the properties of the entry are available in the Distinguished Name column. The DN is printed there and additional detailed information is available from the icon.
Underneath that information, the GUI prints the start and end dates for the validity of the entry. The difference between the start and end date is the Lifetime. When an entry is nearing expiration, the GUI highlights the end date in yellow. When an entry is expired, it is red. The system also generates notifications for expiring certificates.
See also
The certificate expiration warning threshold is 27
days by default, but
can be customized. See Notifications for details.