About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates
In Fireware v12.3 U1 or higher, the Firebox supports Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. Compared to RSA, ECDSA certificates have equivalent security, smaller keys, and increased efficiency. In some countries, governments require ECDSA certificates for regulation compliance.
In Fireware v12.6.2 or higher, the Firebox supports creating a Certificate Signing Request (CSR) with ECDSA. In Fireware lower than v12.6.2, you must import EC certificates. The Firebox does not generate certificate signing requests for EC certificates. To import a certificate, go to Manage Device Certificates (Web UI) or Manage Device Certificates (WSM).
In Fireware v12.4.1 or lower, the Firebox does not support EC certificates for BOVPN, BOVPN virtual interfaces, or Mobile VPN with IKEv2.
EC Certificates for BOVPN and BOVPN Virtual Interfaces
In Fireware v12.5 or higher, you can specify an ECDSA certificate for a BOVPN or BOVPN virtual interface. ECDSA certificates are also known as EC certificates. If one BOVPN peer uses an EC certificate, the other peer must use an EC certificate. BOVPN peers can have EC certificates with different elliptic curves.
IKEv1 Tunnels
For BOVPN tunnels with IKEv1, the peer that initiates the VPN connection determines the authentication method. The EC certificate determines the Hash algorithm. For example, if you select SHA256-AES256-DH14 as the Phase 1 transform and specify an ECDSA-384 certificate, the Hash algorithm is SHA384 instead of SHA256.
IKEv2 Tunnels
For BOVPN tunnels with IKEv2, each peer determines its own authentication method based on the EC certificate, which means peers can use different authentication methods.
The Firebox supports only these elliptic curves for BOVPN and BOVPN virtual interfaces:
- Prime256v1
- Secp384r1
- Secp521r1
To specify an EC certificate for a BOVPN or BOVPN virtual interface, go to Certificates for Branch Office VPN (BOVPN) Tunnel Authentication.
EC Certificates for Mobile VPN with IKEv2
In Fireware v12.5 or higher, the Firebox supports EC certificates for Mobile VPN with IKEv2. Your IKEv2 client must also support EC certificates. Support varies by operating system:
- Windows 10 — Partial support (ECDSA-256 and ECDSA-384 only)
- Android — Support with strongSwan, which is an open-source client
- macOS and iOS — No support
The Firebox supports only these elliptic curves for Mobile VPN with IKEv2:
- Prime256v1
- Secp384r1
- Secp521r1
To specify an EC certificate in the Firebox Mobile VPN with IKEv2 configuration, go to Edit the Mobile VPN with IKEv2 Configuration.