General Certificate Guidelines
Currently, the following certificate/key file formats are supported:
1.
PEM
- PEM format certificates/keys are ascii files that usually use a ".pem" extension with
the file name. PEM stands for Privacy Enhanced Mail. A PEM-format certificate contains a
Base64 encoded DER certificate, enclosed between
"-----BEGIN CERTIFICATE-----"
and
"-----END
CERTIFICATE-----"
tokens. Keys encoded using the PEM format would have
"-----BEGIN PRIVATE
KEY-----
" and
"-----END PRIVATE KEY-----"
tokens. PEM format certificates/keys only are sup-
ported using the GUI.
2.
PKCS #12
- PKCS #12 format files are binary files, usually with a ".p12’"extension with the
file name.
3.
PFX
- PFX format files are also in PKCS #12 format, however, with additional
spe-
cifics. These files usually have a ".pfx" extension with the file name. PFX files are supported
in the GUI, however, not in the CLI.
Currently, PEM-format certificates and keys must be uploaded separately in the CLI using the
certfile and keyfile parameters in the certificate context or as shown below in the GUI.
PKCS #12 and PFX format files usually contain both the certificate and the associated key. You
can upload this file once as either the certfile or the keyfile in the GUI. The GUI will separate the
keyfile and the certfile behind the scenes and store them appropriately. You can also upload the
same file as both the certfile and the keyfile.
If you have uploaded a certificate that doesn't match the cipher suite that is configured for
the HTTPS cluster, you will no longer be able to log into the GUI. You will need to supply the
correct certificate/key pairing. In the meantime, you can enable HTTP access to the GUI
temporarily to enter the proper certificate/key pairing to enable HTTPS access.
Software vs. Hardware Encryption/Decryption
Without hardware SSL acceleration, all Layer 7 HTTPS encryption and decryption is performed by
software, using Equalizer’s CPU and memory. With hardware acceleration, all SSL operations for
Layer 7 HTTPS clusters are performed on dedicated hardware, thus offloading both the servers
behind Equalizer and Equalizer itself -- freeing more resources for traffic and application
management.
In terms of configuration, both software and hardware SSL operations require a list of cipher
suites (encryption algorithms) to be used to encrypt and decrypt HTTPS traffic.
The following table indicates the encryption support for specific models.
Platform
SSL offloading
E250GX
Software only
E370LX E350GX
Software only
E470LX E450GX
Hardware acceleration only for supported ciphers
E670LX E650GX
Hardware acceleration only for supported ciphers
Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
All Rights Reserved.
809
Equalizer Administration Guide
Summary of Contents for Equalizer GX Series
Page 18: ......
Page 32: ...Overview 32 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 42: ......
Page 52: ......
Page 64: ......
Page 72: ......
Page 76: ......
Page 228: ......
Page 238: ......
Page 476: ......
Page 492: ......
Page 530: ......
Page 614: ......
Page 626: ......
Page 638: ......
Page 678: ......
Page 732: ...Using SNMP Traps 732 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Page 754: ......
Page 790: ......
Page 804: ......
Page 842: ......
Page 866: ......