End Entity Certificates Tab
Configuration > Overlays & Security > Security > End Entity Certificates
The EdgeConnect platform consists of Cloud Portal, Orchestrator, and EdgeConnect gateways running EdgeConnect OS (ECOS). Historically, EdgeConnect supported Certificates for a few limited applications such as verifying identity between the triad of Cloud Portal, Orchestrator, and associated EdgeConnect Gateways. Certificates could also be installed so the web server for the Orchestrator UI and ECOS UI can be trusted by browsers with their built-in trust store. Release 9.4 introduces the use of end entity certificates for IPSec tunnel peer authentication.
The following are use cases for end entity certificates in 9.4:
-
Orchestrator web server certificate
-
EdgeConnect web server certificate
-
Syslog client certificate for EdgeConnect
-
IKE-based IPSec tunnels
Whenever an EdgeConnect appliance or Orchestrator is required to authenticate itself with a certificate, it must generate the private key associated with the certificate. EdgeConnect appliances and Orchestrator can use end entity certificates to do this during the creation of TLS and IP Sec connections between SD-WAN components, as well as with third party services. While the legacy feature of uploading private keys is still supported, it is best practice to use orchestrated appliance end entity profiles for EdgeConnect appliance certificates and to manually generate CSRs for Orchestrator certificates.
On the End Entity Certificates tab, you can view and manage all end entity certificates created for your EdgeConnect appliances and Orchestrator. From this tab you can do the following:
-
Configure an EST (Enrollment over Secure Transport) server profile to enroll certificates for use with your EdgeConnect appliances.
-
Create orchestrated appliance end entity profiles that allow for automated enrollment of certificates using an EST server.
-
Manually create a certificate signing request (CSR) and add an end entity certificate for an appliance or Orchestrator, and manually create a labeled profile that enables EdgeConnects to generate CSRs.
-
Click Appliance to view end entity certificates for your appliances.
-
Click Orchestrator to view end entity certificates for Orchestrator.
The information in the following table is displayed for each end entity certificate on this tab.
Column | Description |
---|---|
Hostname | The hostname of the appliance or the Orchestrator instance. |
Label | The name assigned to the certificate. |
Issuer | The issuer of the certificate. |
Issued to | The entity to which the certificate is issued (common name on CSR). |
Certificate | After the certificate is successfully enrolled, a link appears in this column that allows you to view and download the certificate. |
Expiration date | The date when the certificate expires. |
Adding End Entity Certificates
There are two methods for adding end entity certificates. The first method is fully orchestrated and is used for certificate applications on EdgeConnect appliances. The second method involves completing a CSR for one certificate at a time and can be used for Orchestrator or EdgeConnect appliances.
Method 1: This method automates certificate enrollment using an EST server and globally orchestrated end entity profiles. You can only use this method for EdgeConnect appliances to create certificate-based, orchestrated tunnels, which are used by Business Intent Overlays, ECOS web server certificate, or ECOS syslog client certificate. The workflow for this method is as follows:
-
Use an End Entity Certificate or Profile for a Service
-
To apply an orchestrated appliance end entity profile to IKE-based IPSec tunnels, which can be used in Business Intent Overlays, see Tunnel Settings Tab.
-
To use an orchestrated appliance end entity profile for the EdgeConnect HTTPS Certificate, see HTTPS Certificate Template.
-
To use an orchestrated appliance end entity profile for the syslog client certificate, see Logging Template.
-
Method 2: You can use this method to enroll certificates for use with both Orchestrator and EdgeConnect appliances. It is a manual method, and you must repeat the process for each EdgeConnect appliance.
End Entity Certificate Validation at the Time of Upload
At the time of manually uploading an end entity certificate, the following validation checks occur. If you are using globally orchestrated end entity profiles, these validation checks occur as part of the automated process of enrolling certificates. If any of these validations fail, upload of the end entity certificate fails.
-
Revocation Status: Online Certificate Status Protocol (OCSP) is run by Orchestrator and EdgeConnect to verify that the intermediate CA certificates and end entity certificate are not revoked using the OCSP URLs present in each of these certificates. OCSP exception checking includes the following:
-
If communication cannot be established with the OCSP server, then the revocation check is ignored.
-
Nonce check:
-
If the OCSP server does not return a nonce, then the nonce test is ignored, and the revocation check continues.
-
If the OCSP server returns a nonce that does not match the nonce in the OCSP request, then the revocation check fails, and the end entity certificate is rejected.
-
If the OCSP server returns a nonce that matches the nonce in the OCSP request, then the revocation check continues.
-
-
If the OCSP response does not contain a status for the certificate that was requested, then the revocation check fails, and the end entity certificate is rejected.
-
If the OCSP response is not signed by the CA that issued the certificate or signed by an OCSP responder delegated by the CA (the delegated responder should have a valid certificate signed by the CA containing the OCSP signing purpose), then the revocation check fails, and the end entity certificate is rejected.
-
This update: If the OCSP response for “this update” is in the future, then the revocation check fails, and the end entity certificate is rejected.
-
Next update: If the OCSP response for “next update” is in the past, then the revocation check fails, and the end entity certificate is rejected.
After completion of all the above checks, and if the OCSP response was valid, revocation status itself is determined and is assigned one of these values: good, revoked, or unknown. The certificate is accepted for “good” or “unknown” statuses. If the revocation status is “revoked” the certificate is rejected.
-
-
Expiry Status: Each certificate in the chain is verified as not expired.
-
Issuer Sequence Check: The signed end entity certificate that is being uploaded must contain the entire certificate chain and it must be contained in a single file. The system verifies that the end entity certificate chain comes first, followed by the intermediate CA certificate, and finally the root CA certificate.
-
Digital Signature Validation: The digital signature for each certificate in the chain is validated.
-
Check for CA Certificates in Custom CA Certificate Trust Store:
-
If the signed end entity certificate is for use with Orchestrator, Orchestrator checks that the root CA certificate in the end entity certificate chain is present in the Orchestrator Custom CA Certificate Trust Store.
-
For manually uploaded certificates, if the signed end entity certificate is for use with an EdgeConnect appliance, that specific EdgeConnect checks that the intermediate CA and root CA certificates in the end entity certificate chain are present in the EdgeConnect Custom CA Certificate Trust Store. For orchestrated certificates, the EdgeConnect only checks that the root CA certificate is present in the EdgeConnect Custom CA Certificate Trust Store.
-
-
Common Name Comparison: The common name in the CSR is compared to and must match the common name in the signed certificate.
-
Subject Alternative Name Comparison: Checks that the subject alternative names in the CSR are present in the signed certificate.
-
Key Correspondence: At the time that the CSR is generated it contains only the public key; the private key is stored only on this specific EdgeConnect appliance. When the signed certificate is uploaded, it contains the public key from the CSR. The EdgeConnect appliance validates that the public key in the certificate mathematically corresponds to the private key it has stored (the EdgeConnect does not store the public key).
-
Starting with the release that includes end entity certificate orchestration, if you select TLS Server or TLS Client in the Purpose field when creating an appliance end entity profile, an additional check is performed. The check validates that the Extended Key Usage field on the enrolled certificate contains the text
TLS WWW [Server|Client] Authentication
.
NOTE: If manual upload of an end entity certificate fails, navigate to Orchestrator > Orchestrator Server > Tools > Audit Logs and enter “end entity” in the Search field. In the search results, look for entries with “end entity upload action” in the Action field and find the recent failed upload, which will show “Failed” in the Success column. Hover over the Results column for additional information.
Certificate Expiry Checking
Once per day the expiry date is checked on all certificates (CA, intermediate, and end entity). If the expiration date is within 60 days an alarm occurs; this alarm persists if the user does not clear it. If the expiration date has passed, an alarm occurs indicating that the certificate is expired. Certificate expiry happens whether Common Criteria mode is enabled or not. For certificates that are enrolled using an EST server and an appliance end entity profile, during expiry checking if the Re-enrollment threshold percentage is met, the server automatically attempts to re-enroll the certificate.
Prepare the Custom CA Certificate Trust Store
Before adding an EST server and orchestrated appliance end entity profiles or manually creating a CSR, you need to enable the Custom CA Certificate Trust Store in Orchestrator and upload the following certificates to the trust store depending on whether you plan to use the end entity certificate for Orchestrator or EdgeConnect.
-
You must add the default root CA certificates from the default trust store to the Custom CA Certificate Trust Store (one-time action). This is primarily required to ensure that the root CA certificate for HPE Aruba Networking Cloud Portal is in the Custom CA Certificate Trust Store.
-
Upload the root CA certificate for the CA that will sign the CSR for the Orchestrator HTTPS server certificate.
-
Upload the root CA certificate for the CA that signed the end entity certificate for the syslog server (this is the syslog server to which Orchestrator sends its logs).
-
Upload the root CA certificate for the CA that signed the end entity certificate for the EST server.
-
If you are using the orchestrated EST-based method, upload the root CA certificate for any CA that will be signing all end entity certificates.
NOTE: The certificates for the CA must be in place before you create an appliance end entity profile otherwise validation of the certificate orchestration will fail.
-
If you are using the manual method, upload both the root CA and intermediate CA certificates for the CA that will sign the CSR.
NOTE: The certificates for the CA must be in place when you upload the signed certificate chain otherwise validation of the certificate will fail.
To upload the necessary certificates, navigate to Configuration > Overlays & Security > Security > Custom CA Certificate Trust Store. For instructions on how to enable the trust store and upload a certificate, see Custom CA Certificate Trust Store.
EST Servers
You can configure profiles for EST servers that are used to enroll certificates for use with EdgeConnect appliances. Using an EST server with appliance end entity profiles provides an automated process for using globally orchestrated certificates for authentication. From this dialog box you can view the EST server profiles that are configured, delete EST server profiles, and add EST server profiles.
NOTE: An EST server must be reachable out-of-band without dependence on IPSec tunnels. EST management plane is configured in the Management Services template (Configuration > Templates & Policies > Templates) using the management service named “Other VRF mgmt Apps”.
Add an EST Server Profile
The following instructions describe how to configure an EST server profile to use for certificate enrollment.
-
Navigate to Configuration > Overlays & Security > Security > End Entity Certificates.
-
Click EST Servers.
The EST Servers dialog box opens.
-
Click Add EST Server.
The EST Server dialog box opens.
-
Complete the following fields.
Field Description Profile name Enter the name of the EST server. Host name Enter the host name for the EST server. Host Enter the port to use for communicating with the EST server. Username Enter a username for the EST server. This is used during HTTPS basic or digest authentication. Password Enter the password for the EST server. This is used during HTTPS basic or digest authentication. Challenge password Enter a challenge password for the EST server. This is a field added in the CSR that is sent to the EST server. If this field is left empty, the tls-unique is used as a challenge password in the CSR. Arbitrary label When the system attempts to enroll a certificate, this label is added to the URL of the EST server. This label is used for csrattrs and cacerts, per RFC 7030. Requirements are EST server dependent. The default is blank.
Example: https://est-service999.com/.well-known/est/rsa2048/cacerts
Where /rsa2048 is the arbitrary label.Arbitrary enrollment When the system attempts to enroll a certificate, this label is added to the URL of the EST server. This label is used for simpleenroll, per RFC 7030. Requirements are EST server dependent. The default is blank.
Example: https://est-service999.com/.well-known/est/rsa2048/simpleenroll
Where /rsa2048 is the arbitrary label.Arbitrary re-enrollment When the system attempts to enroll a certificate, this label is added to the URL of the EST server. This label is used for simplereenroll, per RFC 7030. Requirements are EST server dependent. The default is blank.
Example: https://est-service999.com/.well-known/est/rsa2048/simplereenroll
Where /rsa2048 is the arbitrary label.Retry interval Enter a numeric value (in seconds). During initial enrollment or re-enrollment of a certificate, this is the amount of time the system waits before it contacts the EST server again. It keeps attempting at this interval until the enrollment or re-enrollment is successful. -
Click Save.
-
Click Save and Apply Changes.
-
Click Close.
Appliance End Entity Profiles
An appliance end entity profile can be applied globally to multiple appliances. The profiles allow for scaled management of certificates using an EST server.
When you configure an appliance end entity profile, you specify the name of an EST server profile that you have already configured in Orchestrator. The EST server specified in the profile is used to enroll and reenroll certificates via EST protocol for any appliance that uses the profile. Each profile also has a designated purpose that you specify during configuration. That purpose determines the services for which the profile can be used, such as for IKE-based IPSec tunnel authentication or HTTPs authentication.
Add an Appliance End Entity Profile
-
Navigate to Configuration > Overlays & Security > Security > End Entity Certificates.
-
Click Appliance End Entity Profiles.
The Appliance End Entity Profiles dialog box opens.
-
Click Add Profile.
The Appliance End Entity Profile dialog box opens.
-
Complete the following fields.
Field Description Purpose Select one of the following options:
SD-WAN – When selected, certificates that are enrolled using this profile are only used for IPSec tunnel authentication. Profiles with this purpose appear on the Tunnel Settings tab for IKE-based IPsec tunnels and can be selected as the source for the end entity certificate for authentication. These certificate-based, orchestrated tunnels can be used in Business Intent Overlays.
TLS Server – When selected, certificates that are enrolled using this profile are only used for HTTPS server authentication, for example EdgeConnect web UI. Profiles with this purpose appear on the HTTPS Certificate template and can be selected as the source for the end entity certificate for authentication.
TLS Client – When selected, certificates that are enrolled using this profile are only used for Syslog client authentication (EdgeConnect as client). Profiles with this purpose appear on the Logging template and can be selected as the source for the end entity certificate for authentication in the remote log receiver configuration.
General – When selected, certificates that are enrolled using this profile are used for IPSec tunnel, HTTPS server, or Syslog client authentication. Profiles with this purpose appear on the Logging template, HTTPS Certificate template, and the Tunnel Settings tab and can be selected as the source for the end entity certificate for authentication.Signing Algorithm Select the algorithm that will be used to authenticate the certificate. The default is rsa_2048_with_sha256 Re-enrollment threshold percentage During expiry checking, the server automatically attempts to re-enroll a certificate after this percentage of the validity period for the certificate occurs.
For example, if a certificate is valid for 12 months and the re-enrollment threshold percentage is set to 75, the server attempts to re-enroll the certificate after 9 months (75% of 12 months) have passed.
Enter a percentage value. Minimum value is 50, maximum value is 95.EST Server Select an EST server profile. The EST server profile must already be configured. For more information on EST server profile configuration, see Add an EST Server Profile.
You can select more than one EST server up to a maximum of four, by clicking +EST. If you have more than one EST server selected, the system attempts certificate enrollment using the EST servers in the order they are listed.Certificate Information These fields vary based on the Purpose you select.
Common Name – Applies to profiles that have SD-WAN or General selected for Purpose. This information is auto generated using the appliance host name, such as “mysystem-ecva”.When a certificate is enrolled using this profile, this value is used as the Common Name.
Example of how this appears on a certificate:
CN=mysystem-ecva
User FQDN – Applies to profiles that have SD-WAN or General selected for Purpose. The prefix is auto generated and consists of the appliance host name, such as “mysystem-ecva”. Enter an FQDN in the field, such “hpe.com”.
When a certificate is enrolled using this profile, the hostname and the user-entered FQDN are included in the SAN (Subject Alternative Name) field for email.
Example of how this appears on a certificate in the SAN field:
email: mysystem-ecva@hpe.com
Host Name - Applies to profiles that have TLS Server or TLS Client selected for Purpose. The prefix is auto generated and consists of the appliance host name, such as “mysystem-ecva”. Enter a domain name in the field, such as “hpe.com”.
When a certificate is enrolled using this profile, the host name and the user-entered domain name are included in the SAN field for DNS.
Example of how this appears on a certificate in the SAN field:
DNS: mysystem-ecva@hpe.com
SAN - Domain Name – Applies to profiles that have TLS Server or TLS Client selected for Purpose. This information is auto generated based on the domain name you entered in the Host Name field.Additional Information (Optional) These fields only appear if you have selected General for the Purpose.
Domain Component – The prefix is auto generated and consists of the appliance host name, such as “mysystem-ecva”. Enter a system domain name in the field, such as “arubanetworks.com”.
When a certificate is enrolled using this profile, this information is included in the SN (Subject Name) field, and it contains an entry for each dot separated part of the system domain name you entered.
Example of how this appears on a certificate in the SN field:
DC=com, DC=arubanetworks, DC=mysystem-ecva
Host Name – The prefix is auto generated and consists of the appliance host name, such as “mysystem-ecva”. Enter a domain name in the field, such as “hpe.com”.
When a certificate is enrolled using this profile, the host name and the user-entered domain name are included in the SAN field for DNS.
Example of how this appears on a certificate in the SAN field:
DNS: mysystem-ecva@hpe.com
IP Address – Select a label from the drop-down menu. When a certificate is enrolled using this profile, the IP address associated with the label selected is included in the SAN field as an IP address.
Example of how this appears on a certificate in the SAN field:
IP Address=X.X.X.X
Organization Name – Enter the name of the organization requesting the certificate, such as “Hewlett Packard Enterprise”. When a certificate is enrolled using this profile, this value is included in the SN.
Example of how this appears on a certificate in the SN field:
organizationName=Hewlett Packard Enterprise
Organizational Unit Name – Enter the name of an internal department that handles the certificate within the organization, such as “HPE Aruba Networking”. When a certificate is enrolled using this profile, this value is included in the SN field.
Example of how this appears on a certificate in the SN field:
organizationalUnitName= HPE Aruba Networking
Add Serial Number to Subject – When this check box is selected and a certificate is enrolled using this profile, the serial number for the appliance, as shown on the System Information tab, is included in the SN (Subject Name) field for serial number.
Example of how this appears on a certificate in the SN field:
serialNumber=XXXXXXXXXXXX -
Click Save.
-
Click Close.
After clicking Save, profile orchestration and certificate enrollment begins. During this time Orchestrator sends the profile to all EdgeConnect appliances, and then each appliance contacts the EST server to get a certificate and have it validated. When validation is successfully completed for a certificate, you can open the End Entity Certificates dialog box for an appliance and a View Certificate link appears in the CSR / Certificate column for the certificate.
Manually Obtain a Signed End Entity Certificate
The following instructions outline the process to manually add an end entity certificate. After you have prepared the Custom CA Certificate Trust Store, you create a CSR, obtain a signed end entity certificate, and manually upload the certificate for further use.
Create a Certificate Signing Request (CSR)
-
Navigate to Configuration > Overlays & Security > Security > End Entity Certificates.
-
Click Appliance to create a CSR for an appliance (EdgeConnect) or click Orchestrator to create a CSR for Orchestrator.
-
Click the edit icon next to the appliance or Orchestrator instance for which you want to create the end entity certificate and generate the CSR.
The End Entity Certificates dialog box appears.
-
Click Add Certificate.
The Add End Entity Metadata dialog box appears. Enter information in the following fields.
Field Description Label Any string (for example, Orchestrator_HTTPS).
The Label has significance to Orchestrator and EdgeConnect and does not need to be globally unique.Common name (Host name) Any string (for example, host name or IP address).
The common name along with any information that is entered in the Additional Information (Optional) fields are what make up the Subject Name (SN) on the certificate.Subject Alternative Name (SAN) Select one of the following options from the drop-down menu and enter the required information.
FQDN – Enter the fully qualified domain name that the certificate secures (for example, ecva.silverpeaksystems.net).
USER_FQDN – Enter an ID in the format of an email address (local-part, @ symbol, domain suffix).
Example: username@aruba.com
This ID is used to identify the EdgeConnect appliance when establishing an IPSec tunnel; it does not send or receive emails.
IP Address – Enter an IPV4 or IPV6 address that is secured by the certificate.Signing algorithm Select the algorithm that will be used to authenticate the certificate. If you are using Common Criteria mode, the recommended option is ecdsa_secp384r1_with_sha384. If you are not using Common Criteria mode, the recommended option is ecdsa_secp256r1_with_sha256. Additional Information (Optional) Entering the following information is optional. If entered, this information along with the common name are what make up the Subject Name (SN) on the certificate.
Organization name – Enter the name of the organization requesting the certificate. Example: “HPE”
Organizational unit name – Enter the name of an internal department that handles the certificate within the organization. Example: “Aruba”
Country code – Enter the two-digit country code of the country where the organization is located. Example: “US” for USA. See allowable list following this table.
State – Enter the state, province, region, or county where the organization is located.
Locality name – Enter the village, town, or city where the organization is located.Allowable Country Codes
‘AF’, ’AL’, ’DZ’, ’AS’, ’AD’, ’AO’, ’AI’, ’AQ’, ’AG’, ’AR’, ’AM’, ’AW’, ’AU’, ’AT’, ’AZ’, ’BS’, ’BH’, ’BD’, ’BB’, ’BY’, ’BE’, ’BZ’, ’BJ’, ’BM’, ’BT’, ’BO’, ’BA’, ’BW’, ’BV’, ’BR’, ’IO’, ’BN’, ’BG’, ’BF’, ’BI’, ’KH’, ’CM’, ’CA’, ’CV’, ’KY’, ’CF’, ’TD’, ’CL’, ’CN’, ’CX’, ’CC’, ’CO’, ’KM’, ’CG’, ’CD’, ’CK’, ’CR’, ’CI’, ’HR’, ’CU’, ’CY’, ’CZ’, ’DK’, ’DJ’, ’DM’, ’DO’, ’EC’, ’EG’, ’SV’, ’GQ’, ’ER’, ’EE’, ’ET’, ’FK’, ’FO’, ’FJ’, ’FI’, ’FR’, ’GF’, ’PF’, ’TF’, ’GA’, ’GM’, ’GE’, ’DE’, ’GH’, ’GI’, ’GR’, ’GL’, ’GD’, ’GP’, ’GU’, ’GT’, ’GN’, ’GW’, ’GY’, ’HT’, ’HM’, ’VA’, ’HN’, ’HK’, ’HU’, ’IS’, ’IN’, ’ID’, ’IR’, ’IQ’, ’IE’, ’IL’, ’IT’, ’JM’, ’JP’, ’JO’, ’KZ’, ’KE’, ’KI’, ’KP’, ’KR’, ’KW’, ’KG’, ’LA’, ’LV’, ’LB’, ’LS’, ’LR’, ’LY’, ’LI’, ’LT’, ’LU’, ’MO’, ’MK’, ’MG’, ’MW’, ’MY’, ’MV’, ’ML’, ’MT’, ’MH’, ’MQ’, ’MR’, ’MU’, ’YT’, ’MX’, ’FM’, ’MD’, ’MC’, ’MN’, ’MS’, ’MA’, ’MZ’, ’MM’, ’NA’, ’NR’, ’NP’, ’NL’, ’AN’, ’NC’, ’NZ’, ’NI’, ’NE’, ’NG’, ’NU’, ’NF’, ’MP’, ’NO’, ’OM’, ’PK’, ’PW’, ’PS’, ’PA’, ’PG’, ’PY’, ’PE’, ’PH’, ’PN’, ’PL’, ’PT’, ’PR’, ’QA’, ’RE’, ’RO’, ’RU’, ’RW’, ’SH’, ’KN’, ’LC’, ’PM’, ’VC’, ’WS’, ’SM’, ’ST’, ’SA’, ’SN’, ’SC’, ’SL’, ’SG’, ’SK’, ’SI’, ’SB’, ’SO’, ’ZA’, ’GS’, ’ES’, ’LK’, ’SD’, ’SR’, ’SJ’, ’SZ’, ’SE’, ’CH’, ’SY’, ’TW’, ’TJ’, ’TZ’, ’TH’, ’TL’, ’TG’, ’TK’, ’TO’, ’TT’, ’TN’, ’TR’, ’TM’, ’TC’, ’TV’, ’UG’, ’UA’, ’AE’, ’GB’, ’US’, ’UM’, ’UY’, ’UZ’, ’VU’, ’VE’, ’VN’, ’VG’, ’VI’, ’WF’, ’EH’, ’YE’, ’ZM’, ’ZW’
The following is an example completed CSR with label “Orchestrator_HTTPS”.
-
Click Save.
The certificate appears in the list of certificates on the End Entity dialog box.
Send the CSR to the Certificate Authority (CA)
-
In the End Entity Certificates Dialog box find the certificate you created, and in the CSR / Certificate column click View CSR.
The View CSR dialog box opens.
-
To download the CSR as a .pem file, click Download CSR.
The file is saved to your local directory.
-
Upload the CSR file to a trusted certificate authority (CA).
Obtain the Signed Certificate From the CA
When you receive the signed certificate from the CA, if there are multiple files you need to combine all the files into a single file, which includes the end entity certificate, all intermediate CA certificates, and the root CA certificates. This is necessary because you must upload the entire certificate chain in Orchestrator as a single file. The sequence of certificates in the single-file chain is important and should be as follows:
-
End entity certificate (top of file)
-
One or more certificates of the intermediate CA(s)
-
Self-signed root CA certificate
Upload the Signed Certificate to the End Entity Certificate Tab
NOTE: Any certificates in the chain that are expired will not be accepted by the EdgeConnect appliance.
NOTE: The subject name on the certificate must match the subject name on the CSR. If these do not match, the EdgeConnect appliance will not accept the certificate.
-
Navigate to Configuration > Overlays & Security > Security > End Entity Certificates.
-
Click the edit icon next to the appliance or Orchestrator instance for which you created the CSR.
The End Entity Certificates dialog box appears.
-
In the End Entity Certificates Dialog box find the certificate you created, and in the CSR / Certificate column click View CSR.
The View CSR dialog box opens.
-
Click Select Certificate File, and then select the signed certificate chain.
The file name of the end entity certificate appears in gray beneath the Select Certificate File button.
-
Click Upload.
The system performs validation checks on the end entity certificate. If the certificate passes the validation checks and upload is successful, the file name turns green.
-
Click Close.
After the certificate is successfully uploaded, on the End Entity Certificates dialog box the Issuer column contains the common name, the Expiration date column shows when the certificate expires, and the link in the CSR / Certificate column changes from View CSR to View Certificate. Click View Certificate to view the certificate.
Use an End Entity Certificate or Profile for a Service
You can use end entity certificates and appliance end entity profiles for the following services.
-
HTTP server
-
To use a manually added end entity certificate for the Orchestrator HTTPS certificate, see Orchestrator HTTPS Certificate. The Orchestrator HTTPS certificate cannot be added using EST.
-
To use an orchestrated appliance end entity profile for the EdgeConnect HTTPS Certificate, see HTTPS Certificate Template.
-
To use a manually added end entity certificate for the EdgeConnect HTTPS Certificate, see HTTPS Certificate Tab.
-
-
Syslog client server
-
To use an orchestrated appliance end entity profile for the syslog client certificate, see Logging Template.
-
To use a manually added end entity certificate for the syslog client certificate, see Remote Log Receivers.
-
-
IKE-based IPSec tunnel
-
To apply an orchestrated appliance end entity profile to IKE-based IPSec tunnels, which can be used in Business Intent Overlays, see Tunnel Settings Tab.
-
To manually create IKE-based IPSec tunnels that use an end entity certificate, see Add or Modify a Manually Created Underlay Tunnel.
-
End Entity Certificates Dialog Box
From this dialog box you can view the end entity certificates for each appliance or Orchestrator, delete end entity certificates, and generate a new certificate signing request (CSR) to manually add a new end entity certificate.
The information in the following table is displayed for each end entity certificate on this dialog box. If you have created appliance end entity profiles, a separate row appears on the dialog box with a certificate for each appliance for each profile.
Column | Description |
---|---|
Label | The name assigned to the certificate. |
Issuer | The issuer of the certificate. |
Issued to | The entity to which the certificate is issued (common name on CSR). |
Certificate | If you are in the process of manually adding a certificate for an appliance or Orchestrator and have created a CSR, a View CSR link appears in this column. After you have sent the CSR to a CA, obtained the signed certificate from the CA, and uploaded the signed certificate, a View Certificate link appears in this column that allows you to view and download the certificate. If you have created an appliance end entity profile, after enrollment with the EST server is completed, a View Certificate link appears in this column that allows you to view and download the certificate. A separate row will appear on the dialog box with a certificate for each appliance for each profile. |
Expiration date | The date when the certificate expires. |
Status | If certificate enrollment fails, a brief description of the reason for failure appears in this column, and the View Certificate link does not appear in the CSR / Certificate column. |