If an end device trusts a pre-created and superordinate CA, it can be moved between sites without further effort This case is described in more detail below:
1) Creating the parent CA: This CA can be created on any LANCOM R&S®Unified Firewall. Ideally, this is done on a central firewall without Internet access. If a dedicated public-key infrastructure already exists, it is recommended to use it.
Info |
---|
We recommend that the parent CA is valid for at least 5 years. |
2) Rolling out the CA: This parent CA must be imported to all endpoints and renewed and replaced on all endpoints before expiration.
3) Creating and signing the proxy CAs on the individual LANCOM R&S®Unified Firewall:
- A certificate signing request (CSR) for an intermediate CA is created locally on the individual LANCOM R&S®Unified Firewalls.
- The CSR must be signed centrally by the parent CA.
- The signed intermediate CA is imported into the local LANCOM R&S®Unified Firewall and selected as the CA for the HTTPS proxy.