Generating keys and certificates

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

User Identification for Policy Enforcement > Configuring user identification and authentication > Secure manual authentication > Generating keys and certificates

Generating keys and certificates

Administrator Help | Forcepoint Web Security and Forcepoint URL Filtering | v8.5.x

Related topics:

Manual authentication

Setting authentication rules for specific machines

Secure manual authentication

Activating secure manual authentication

Accepting the certificate within the client browser

A certificate consists of a public key, used to encrypt data, and a private key, used to decipher data. Certificates are issued by a Certificate Authority (CA). You can generate a certificate from an internal certificate server, or obtain a client certificate from any third-party CA, such as VeriSign.

The CA issuing the client certificate must be trusted by web protection software. Typically, this is determined by a browser setting.

There are many tools that you can use to generate a self-signed certificate, including the OpenSSL toolkit (available from openssl.org).

Regardless of the method you choose for generating the certificate, use the following general steps.

1.

Generate a private key (server.key).

For the best browser compatibility, an Elliptic Curve key should be generated using either the secp256r1 (aka P-256) or secp384r1 (aka P-384) named curves.

2.

Generate a Certificate Signing Request (CSR) with the private key.


	Important When prompted for the CommonName, enter the IP address of the Filtering Service machine. If you skip this step, client browsers will display a security certificate error. A separate certificate must be generated for each Filtering Service.

3.

Submit the CSR to a CA to be signed or use the CSR to create a self-signed certificate (server.crt).

The certificate should be signed using SHA-256 or a similar algorithm in the SHA-2 family.

4.

Save the server.crt and server.key files in a location that you software can access, and where they can be read by Filtering Service.

a.

If OpenSSL is used to generate a certificate, use the following commands:

openssl ecparam -name secp384r1 -genkey -out <name>.key

openssl req -new -key <name>.key -out <name>.csr

You will be prompted to enter the required data fields for the certificate.

b.

To create a self-signed certificate from the CSR, use the command

openssl x509 -req -in <name>.csr -out <name>.crt -signkey <name>.key -days <days before expiration> -sha256

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

User Identification for Policy Enforcement > Configuring user identification and authentication > Secure manual authentication > Generating keys and certificates

Copyright 2023 Forcepoint. All rights reserved.