Using Clavister NetWall as certificate authority (CA)

Last modified on 17 Dec, 2021. Revision 15
Up to date for
cOS Core 14.00
 
Status OK


What is a certificate authority (CA)?

A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by any third party.

A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.

Creating the CA certificate

To create a CA certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the CA certificate.

The following Subject Name fields can be configured on a CA certifcate:

Example: CN=Sample CA,OU=Support,O=My Company,C=SE

The Public Key Type can be either RSA or EC (Elliptic Curves), if using EC make sure the Key Size is 384 or higher, also note that RSA certificates have more compatibility, especially around IPsec, but EC certificates are consider faster and more secure. If the certificate will only be used for HTTPS based features, pick EC, if also going to be used for IPsec then select RSA.

Example below:

When generated there should be a certificate looking something like this:

Download this Certificate and import into trusted CA Store on end devices.

Download the certificate (not the key) and deploy it to your end devices so they will trust certificates issued by the CA, this can be done in a number of ways depending on operating system or if the device is managed by a device management system.

Example: Creating a CA signed End-Entity certificate for OneConnect and/or WebUI

To create a a signed End-Entity certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the End-Entity certificate.

Make sure End-Entity is selected and the CA Certificate created in the previous step is selected as Issuer Certificate.

Note: The Subject Alternative Name (SAN) of the certificate should be the hostname entered and used to connect to the WebUI and/or the OneConnect interface in cOS Core.

Note: Validity should not be to long on End-Identity certificates.

Note: Key Size must be 384 bits or higher if using EC.

Configure NetWall to use the certificate

To use the newly created certificate go to Advanced Settings in Remote Management (Device Settings → Remote Settings → Advanced Settings) and scroll down to the WebUI settings.

Select the created certificate as HTTPS Certificate and the CA Certificate as HTTPS Root Certificate.


Related articles

Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
22 Aug, 2022 onetouch sslvpn oneconnect
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Clavister OneConnect server using cOS Core as CA Server
14 Sep, 2022 oneconnect certificate howto
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core