Using Clavister NetWall as certificate authority (CA)Last modified on 17 Dec, 2021. Revision 15
|Up to date for||
cOS Core 14.00
What is a certificate authority (CA)?
A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by any third party.
A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.
Creating the CA certificate
To create a CA certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the CA certificate.
The following Subject Name fields can be configured on a CA certifcate:
- CN: CommonName
- OU: OrganizationalUnit
- O: Organization
- L: Locality
- C: CountryName
Example: CN=Sample CA,OU=Support,O=My Company,C=SE
The Public Key Type can be either RSA or EC (Elliptic Curves), if using EC make sure the Key Size is 384 or higher, also note that RSA certificates have more compatibility, especially around IPsec, but EC certificates are consider faster and more secure. If the certificate will only be used for HTTPS based features, pick EC, if also going to be used for IPsec then select RSA.
When generated there should be a certificate looking something like this:
Download this Certificate and import into trusted CA Store on end devices.
Download the certificate (not the key) and deploy it to your end devices so they will trust certificates issued by the CA, this can be done in a number of ways depending on operating system or if the device is managed by a device management system.
Example: Creating a CA signed End-Entity certificate for OneConnect and/or WebUI
To create a a signed End-Entity certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the End-Entity certificate.
Make sure End-Entity is selected and the CA Certificate created in the previous step is selected as Issuer Certificate.
Note: The Subject Alternative Name (SAN) of the certificate should be the hostname entered and used to connect to the WebUI and/or the OneConnect interface in cOS Core.
Note: Validity should not be to long on End-Identity certificates.
Note: Key Size must be 384 bits or higher if using EC.
Configure NetWall to use the certificate
To use the newly created certificate go to Advanced Settings in Remote Management (Device Settings → Remote Settings → Advanced Settings) and scroll down to the WebUI settings.
Select the created certificate as HTTPS Certificate and the CA Certificate as HTTPS Root Certificate.
13 Jun, 2022 oneconnect macos ios windows android
3 Jun, 2022 oneconnect openconnect sslvpn
19 Apr, 2022 oneconnect sase
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
5 Apr, 2022 core certificate oneconnect ipsec vpn
5 Mar, 2021 sslvpn openconnect oneconnect android core
29 Oct, 2021 sslvpn openconnect oneconnect windows
13 Oct, 2021 oneconnect macos openconnect ios
5 Mar, 2021 sslvpn openconnect oneconnect linux core
8 Apr, 2021 core sslvpn oneconnect interfaces arp
1 Dec, 2021 oneconnect sslvpn
25 Feb, 2022 oneconnect windows howto
10 Mar, 2021 core oneconnect
16 Sep, 2020 vpn ipsec ikev2 windows howto dh
29 Jun, 2021 core oneconnect
8 Jun, 2022 openconnect oneconnect android
5 Mar, 2021 sslvpn openconnect oneconnect macos windows linux core