Secure Computing SafeNet User Manual

If not already done, decide if you will use self-signed certificates 
generated by Sidewinder or a public/private CA server.

A VPN implemented using Sidewinder self-signed certificates does not 
require an external certificate authority and is relatively easy to 
configure for a small number of (less than 10) clients. However, one 
VPN association must be configured on Sidewinder for each client. As 
the number of configured clients grows, so does the administrative 
time. Figure 2-2 shows the certificates involved in a VPN using 
Sidewinder self-signed certificates.

Using self-signed certificates

(for a small number of VPN 
clients)

Š

No CA needed

Š

Requires one VPN association for each client

Using CA-based certificates

(for a medium to large 
number of VPN clients)

Š

Uses a private or public CA

Š

Single VPN association for all clients

Š

Can make VPN deployment and management 

more efficient

Soft-PK

Internet

Protected Network

Sidewinder

Client

Cert.

Firewall
Cert.

Client

Cert.

*.pem

PK12 object for 
importing to 
Soft-PK

*.pem

*.pk1

Admin converts client private key & 
exports certificate files to PK12 object

Admin creates firewall private key and 
certificate 

Firewall

Cert.

Admin creates client private key/
certificate pair(s)

Client private key and certificate file 
(PKCS12) imported into Soft-PK

Firewall certificate imported to Soft-PK, 
(private key remains on Sidewinder)

Note: A self-signed certificate created 
on Sidewinder remains valid for one 
year beginning from the date it is 
created.