What is a certificate authority (CA)?

A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by any third party.

A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.

Creating the CA certificate

To create a CA certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the CA certificate.

The following Subject Name fields can be configured on a CA certifcate:

• CN: CommonName
• OU: OrganizationalUnit
• O: Organization
• L: Locality
• C: CountryName

Example: CN=Sample CA,OU=Support,O=My Company,C=SE

The Public Key Type can be either RSA or EC (Elliptic Curves), if using EC make sure the Key Size is 384 or higher, also note that RSA certificates have more compatibility, especially around IPsec, but EC certificates are consider faster and more secure. If the certificate will only be used for HTTPS based features, pick EC, if also going to be used for IPsec then select RSA.

Example below:

When generated there should be a certificate looking something like this:

Download this Certificate and import into trusted CA Store on end devices.

Download the certificate (not the key) and deploy it to your end devices so they will trust certificates issued by the CA, this can be done in a number of ways depending on operating system or if the device is managed by a device management system.

Example: Creating a CA signed End-Entity certificate for OneConnect and/or WebUI

To create a a signed End-Entity certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the End-Entity certificate.

Make sure End-Entity is selected and the CA Certificate created in the previous step is selected as Issuer Certificate.

Note: The Subject Alternative Name (SAN) of the certificate should be the hostname entered and used to connect to the WebUI and/or the OneConnect interface in cOS Core.

Note: Validity should not be to long on End-Identity certificates.

Note: Key Size must be 384 bits or higher if using EC.

Configure NetWall to use the certificate

To use the newly created certificate go to Advanced Settings in Remote Management (Device Settings → Remote Settings → Advanced Settings) and scroll down to the WebUI settings.

Select the created certificate as HTTPS Certificate and the CA Certificate as HTTPS Root Certificate.

Related articles