43. Chapter - Key Management

For public-key encryption procedures, secret keys must be generated on each side before the connection is established and the corresponding public keys must be exchanged with the peer.

For this purpose, key management is available on the Intra2net system.

43.1. Own Keys

In the menu System > Keys > Own keys you can create your own key pairs from public and private keys.

The keys are created according to the X.509 standard. The majority of IPSec systems support this key type. It has a more complex structure and is used not only for IPSec but also for SSL/TLS (e.g. HTTPS) and the encryption of emails (S/MIME).

The security of the encryption depends, among other things, on the key length in bits. The Intra2net system supports a key length of 1024 to 4096 bits. The longer the key, the more secure the connection is. Some peers may not support all key lengths or might be overloaded by keys that are too long. We recommend using 2048 bits.

Owner data for X.509 keys can be a country code (2 digits), state, city, company name, department name, computer name and email address. Either a computer name or an email address must be entered, the rest of the data is voluntary.

[Caution]Caution

The owner data of a key must be unique. Therefore, the owner data may only be entered once on this device and on all devices connected via VPN.

For security reasons, the validity period of an X.509 key is limited. After the expiry of the validity period, the key is no longer accepted and must be renewed. Extending the validity is not possible.

To send the public key to the peer, it can be saved to a file with Export certificate.

If multiple VPNs are set up on the Intra2net system, you do not have to create a separate key for each connection: you can use an Own Key for all VPNs. You only need the public key from each of the peers.

43.1.1. Certificate Authorities (CAs)

In order to simplify the operation, the Intra2net system normally generates self-signed certificates, where the holder (Subject) is also the certificate issuer.

If you want to use a CA instead, create a normal key first. You can export a certificate request under the tab CA. This certificate request is signed by the CA and can then be imported back into the Intra2net system as a certificate.

Some VPN peers do not accept self-signed keys, but request keys that have been signed by a CA. To facilitate compatibility with such peers, there is the Sign key with other key option.

If you are dealing with such a peer, proceed as follows:

  1. Create your own new key. This certificate is only used indirectly for signing, so call it server-ca for example.

  2. Export this certificate and import it on the other side as a trusted Root CA.

  3. Now create your own key on the Intra2net system. This will be used later by the system for the VPN.

  4. Use the Sign key with another key option to sign this key with the CA key created previously.