99Adding Certificates to the NVGUsing the encryption capabilities of the VPN Gateway requires addinga key and certificate that conforms to the X.509 standard to the VPNGateway. If you have more than one VPN Gateway in a cluster, thekey and certificate need only be added to one of the devices. As withconfiguration changes, the information is automatically propagated to allother devices in the cluster.Note: When using an ASA 310-FIPS running in FIPS mode, the privatekey associated with a certificate cannot be imported. All private keysmust be generated on the HSM card itself due to the FIPS securityrequirements.There are two ways to install a key and certificate into the VPN Gateway :• Copy-and-paste the key/certificate.• Download the key/certificate from a TFTP/FTP/SCP/SFTP server.The VPN Gateway supports importing certificates and keys in thesefromats:• PEM• NET• DER• PKCS7 (certificate only)• PKCS8 (keys only, used in WebLogic)• PKCS12 (also known as PFX)Besides these formats, keys in the proprietary format used in MS IIS 4can be imported by the VPN Gateway, as wells as keys from NetscapeEnterprise Server or iPlanet Server. Importing keys from NetscapeEnterprise Server or iPlanet Server however, require that you first use aconversion tool. For more information about the conversion tool, contactNortel. See “How to Get Help” (page 14) for contact information.When it comes to exporting certificates and keys from the VPN Gateway,you can specify to save in the PEM, NET, DER, or PKCS12 format whenusing the export command. If you choose to use the display command(which requires a copy-and-paste operation), you are restricted to savingcertificates and keys in the PEM format only.Note: When performing a copy-and-paste operation to add a certificateor key, you must always use the PEM format.Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.