Using Clavister NetWall as certificate authority (CA)

Last modified on 17 Dec, 2021. Revision 15
Up to date for
cOS Core 14.00
 
Status OK


What is a certificate authority (CA)?

A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by any third party.

A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.

Creating the CA certificate

To create a CA certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the CA certificate.

The following Subject Name fields can be configured on a CA certifcate:

  • CN: CommonName
  • OU: OrganizationalUnit
  • O: Organization
  • L: Locality
  • C: CountryName

Example: CN=Sample CA,OU=Support,O=My Company,C=SE

The Public Key Type can be either RSA or EC (Elliptic Curves), if using EC make sure the Key Size is 384 or higher, also note that RSA certificates have more compatibility, especially around IPsec, but EC certificates are consider faster and more secure. If the certificate will only be used for HTTPS based features, pick EC, if also going to be used for IPsec then select RSA.

Example below:

When generated there should be a certificate looking something like this:

Download this Certificate and import into trusted CA Store on end devices.

Download the certificate (not the key) and deploy it to your end devices so they will trust certificates issued by the CA, this can be done in a number of ways depending on operating system or if the device is managed by a device management system.

Example: Creating a CA signed End-Entity certificate for OneConnect and/or WebUI

To create a a signed End-Entity certificate browse to Key Ring (Objects → Key Ring) and add a new certificate, give it a name and click on the Configure button to configure the End-Entity certificate.

Make sure End-Entity is selected and the CA Certificate created in the previous step is selected as Issuer Certificate.

Note: The Subject Alternative Name (SAN) of the certificate should be the hostname entered and used to connect to the WebUI and/or the OneConnect interface in cOS Core.

Note: Validity should not be to long on End-Identity certificates.

Note: Key Size must be 384 bits or higher if using EC.

Configure NetWall to use the certificate

To use the newly created certificate go to Advanced Settings in Remote Management (Device Settings → Remote Settings → Advanced Settings) and scroll down to the WebUI settings.

Select the created certificate as HTTPS Certificate and the CA Certificate as HTTPS Root Certificate.


Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Brian Smart Search (Beta)
15 Jan, 2024 dictionary troubleshoot core stream incontrol incenter oneconnect cloudservice
Roaming IKEv2 tunnel setup in cOS Core with XCA CA and FreeRADIUS
10 Mar, 2023 core vpn ikev2 windows radius certificate
Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
cOS Core IKEv2 split tunneling with Windows and local user database.
28 Mar, 2023 ikev2 windows vpn routing splittunneling
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
28 Apr, 2023 openconnect oneconnect macos ios iphone
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
18 Mar, 2024 onetouch sslvpn oneconnect troubleshoot certificate
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Howto - Userbased rules
27 Feb, 2024 oneconnect userbased core
Changing the certificate used by the OneConnect client/server
28 Nov, 2022 core configuration oneconnect
Clavister OneConnect server using cOS Core as CA Server
11 May, 2023 oneconnect certificate howto
Roaming Windows IKEv2 setup with NetWall as CA server
2 Dec, 2022 netwall ikev2 windows certificate vpn core
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core