Link Search Menu Expand Document

End Entity Certificates Tab

Configuration > Overlays & Security > Security > End Entity Certificates

The EdgeConnect platform consists of Cloud Portal, Orchestrator, and EdgeConnect gateways running EdgeConnect OS (ECOS). Historically, EdgeConnect supported Certificates for a few limited applications such as verifying identity between the triad of Cloud Portal, Orchestrator, and associated EdgeConnect Gateways. Certificates could also be installed so the web server for the Orchestrator UI and ECOS UI can be trusted by browsers with their built-in trust store. Release 9.4 introduces the use of end entity certificates for IPSec tunnel peer authentication.

The following are use cases for end entity certificates in 9.4:

  • Orchestrator web server certificate

  • EdgeConnect web server certificate

  • Syslog client certificate for EdgeConnect

  • IKE-based IPSec tunnels

Whenever an EdgeConnect appliance or Orchestrator is required to authenticate itself with a certificate, it must generate the private key associated with the certificate. EdgeConnect appliances and Orchestrator can use end entity certificates to do this during the creation of TLS and IP Sec connections between SD-WAN components, as well as with third party services. While the legacy feature of uploading private keys is still supported, it is best practice to have Orchestrator generate the CSR. As part of the CSR, Orchestrator automatically generates the key pair through the End Entity tab, and then you upload the signed certificate from that request.

On the End Entity Certificates tab, you can view and manage all end entity certificates created for your EdgeConnect appliances and Orchestrator. From this tab you can do the following:

  • Create a certificate signing request (CSR) and add an end entity certificate for an appliance or Orchestrator.

  • Create a label for each end entity certificate, so you can refer to it by its label.

  • Click Appliance to view end entity certificates for your appliances.

  • Click Orchestrator to view end entity certificates for Orchestrator.

The information in the following table is displayed for each end entity certificate on this tab.

Column Description
Hostname The hostname of the appliance or the Orchestrator instance.
Label The name assigned to the certificate.
Issuer The issuer of the certificate.
Issued to The entity to which the certificate is issued (common name on CSR).
Certificate A link that allows you to view and download the certificate.
Expiration date The date when the certificate expires.

End Entity Certificates Dialog Box

From this dialog box you can view the existing end entity certificates for each appliance or Orchestrator, delete end entity certificates, or generate a new certificate signing request (CSR) to add a new end entity certificate.

The following sections outline the process of adding a new end entity certificate.

Prepare the Custom CA Certificate Trust Store

Before you create a CSR, you should enable the Custom CA Certificate Trust Store in Orchestrator and upload the following certificates to the trust store depending on whether you plan to use the end entity certificate for Orchestrator or EdgeConnect.

  • Orchestrator: Upload the root CA certificate for the CA that will sign the CSR.

  • EdgeConnect: Upload both the root CA and intermediate CA certificates for the CA that will sign the CSR.

NOTE: The certificates for the CA must be in place when you upload the signed certificate chain or validation of the certificate will fail.

To upload the necessary certificates, navigate to Configuration > Overlays & Security > Security > Custom CA Certificate Trust Store. For instructions on how to enable the trust store and upload a certificate, see Custom CA Certificate Trust Store.

Obtain a Signed End Entity Certificate

After you have prepared the Custom CA Certificate Trust Store, you will create a CSR and obtain a signed end entity certificate. The following instructions outline this process.

Create a Certificate Signing Request (CSR)

  1. Navigate to Configuration > Overlays & Security > Security > End Entity Certificates.

  2. Click Appliance to create a CSR for an appliance (EdgeConnect) or click Orchestrator to create a CSR for Orchestrator.

  3. Click the edit icon next to the appliance or Orchestrator instance for which you want to create the end entity certificate and generate the CSR.

    The End Entity Certificates dialog box appears.

  4. Click Add Certificate.

    The Add End Entity Metadata dialog box appears. Enter information in the following fields.

    Field Description
    Label Any string (for example, Orchestrator_HTTPS).

    The Label has significance to Orchestrator and EdgeConnect and does not need to be globally unique.
    Common name (Host name) Any string (for example, host name or IP address).

    The common name along with any information that is entered in the Additional Information (Optional) fields are what make up the Subject Name (SN) on the certificate.
    Subject Alternative Name (SAN) Select one of the following options from the drop-down menu and enter the required information.

    FQDN – Enter the fully qualified domain name that the certificate secures (for example, ecva.silverpeaksystems.net).

    USER_FQDN – Enter an ID in the format of an email address (local-part, @ symbol, domain suffix).
    Example: username@aruba.com
    This ID is used to identify the EdgeConnect appliance when establishing an IPSec tunnel; it does not send or receive emails.

    IP Address – Enter an IPV4 or IPV6 address that is secured by the certificate.
    Signing algorithm Select the algorithm that will be used to authenticate the certificate. If you are using Common Criteria mode, the recommended option is ecdsa_secp384r1_with_sha384. If you are not using Common Criteria mode, the recommended option is ecdsa_secp256r1_with_sha256.
    Additional Information (Optional) Entering the following information is optional. If entered, this information along with the common name are what make up the Subject Name (SN) on the certificate.

    Organization name – Enter the name of the organization requesting the certificate. Example: “HPE”

    Organizational unit name – Enter the name of an internal department that handles the certificate within the organization. Example: “Aruba”

    Country code – Enter the two-digit country code of the country where the organization is located. Example: “US” for USA. See allowable list following this table.

    State – Enter the state, province, region, or county where the organization is located.

    Locality name – Enter the village, town, or city where the organization is located.

    Allowable Country Codes

    ‘AF’, ’AL’, ’DZ’, ’AS’, ’AD’, ’AO’, ’AI’, ’AQ’, ’AG’, ’AR’, ’AM’, ’AW’, ’AU’, ’AT’, ’AZ’, ’BS’, ’BH’, ’BD’, ’BB’, ’BY’, ’BE’, ’BZ’, ’BJ’, ’BM’, ’BT’, ’BO’, ’BA’, ’BW’, ’BV’, ’BR’, ’IO’, ’BN’, ’BG’, ’BF’, ’BI’, ’KH’, ’CM’, ’CA’, ’CV’, ’KY’, ’CF’, ’TD’, ’CL’, ’CN’, ’CX’, ’CC’, ’CO’, ’KM’, ’CG’, ’CD’, ’CK’, ’CR’, ’CI’, ’HR’, ’CU’, ’CY’, ’CZ’, ’DK’, ’DJ’, ’DM’, ’DO’, ’EC’, ’EG’, ’SV’, ’GQ’, ’ER’, ’EE’, ’ET’, ’FK’, ’FO’, ’FJ’, ’FI’, ’FR’, ’GF’, ’PF’, ’TF’, ’GA’, ’GM’, ’GE’, ’DE’, ’GH’, ’GI’, ’GR’, ’GL’, ’GD’, ’GP’, ’GU’, ’GT’, ’GN’, ’GW’, ’GY’, ’HT’, ’HM’, ’VA’, ’HN’, ’HK’, ’HU’, ’IS’, ’IN’, ’ID’, ’IR’, ’IQ’, ’IE’, ’IL’, ’IT’, ’JM’, ’JP’, ’JO’, ’KZ’, ’KE’, ’KI’, ’KP’, ’KR’, ’KW’, ’KG’, ’LA’, ’LV’, ’LB’, ’LS’, ’LR’, ’LY’, ’LI’, ’LT’, ’LU’, ’MO’, ’MK’, ’MG’, ’MW’, ’MY’, ’MV’, ’ML’, ’MT’, ’MH’, ’MQ’, ’MR’, ’MU’, ’YT’, ’MX’, ’FM’, ’MD’, ’MC’, ’MN’, ’MS’, ’MA’, ’MZ’, ’MM’, ’NA’, ’NR’, ’NP’, ’NL’, ’AN’, ’NC’, ’NZ’, ’NI’, ’NE’, ’NG’, ’NU’, ’NF’, ’MP’, ’NO’, ’OM’, ’PK’, ’PW’, ’PS’, ’PA’, ’PG’, ’PY’, ’PE’, ’PH’, ’PN’, ’PL’, ’PT’, ’PR’, ’QA’, ’RE’, ’RO’, ’RU’, ’RW’, ’SH’, ’KN’, ’LC’, ’PM’, ’VC’, ’WS’, ’SM’, ’ST’, ’SA’, ’SN’, ’SC’, ’SL’, ’SG’, ’SK’, ’SI’, ’SB’, ’SO’, ’ZA’, ’GS’, ’ES’, ’LK’, ’SD’, ’SR’, ’SJ’, ’SZ’, ’SE’, ’CH’, ’SY’, ’TW’, ’TJ’, ’TZ’, ’TH’, ’TL’, ’TG’, ’TK’, ’TO’, ’TT’, ’TN’, ’TR’, ’TM’, ’TC’, ’TV’, ’UG’, ’UA’, ’AE’, ’GB’, ’US’, ’UM’, ’UY’, ’UZ’, ’VU’, ’VE’, ’VN’, ’VG’, ’VI’, ’WF’, ’EH’, ’YE’, ’ZM’, ’ZW’

    The following is an example completed CSR with label “Orchestrator_HTTPS”.

    img

  5. Click Save.

    The certificate appears in the list of certificates on the End Entity dialog box.

Send the CSR to the Certificate Authority (CA)

  1. In the End Entity Certificates Dialog box find the certificate you created, and in the CSR / Certificate column click View CSR.

    The View CSR dialog box opens.

    img

  2. To download the CSR as a .pem file, click Download CSR.

    The file is saved to your local directory.

  3. Upload the CSR file to a trusted certificate authority (CA).

Obtain the Signed Certificate From the CA

When you receive the signed certificate from the CA, if there are multiple files you need to combine all the files into a single file, which includes the end entity certificate, all intermediate CA certificates, and the root CA certificates. This is necessary because you must upload the entire certificate chain in Orchestrator as a single file. The sequence of certificates in the single-file chain is important and should be as follows:

  1. End entity certificate (top of file)

  2. One or more certificates of the intermediate CA(s)

  3. Self-signed root CA certificate

Upload the Signed Certificate to the End Entity Certificate Tab

NOTE: Any certificates in the chain that are expired will not be accepted by the EdgeConnect appliance.

NOTE: The subject name on the certificate must match the subject name on the CSR. If these do not match, the EdgeConnect appliance will not accept the certificate.

  1. Navigate to Configuration > Overlays & Security > Security > End Entity Certificates.

  2. Click the edit icon next to the appliance or Orchestrator instance for which you created the CSR.

    The End Entity Certificates dialog box appears.

  3. In the End Entity Certificates Dialog box find the certificate you created, and in the CSR / Certificate column click View CSR.

    The View CSR dialog box opens.

    img

  4. Click Select Certificate File, and then select the signed certificate chain.

    The file name of the end entity certificate appears in gray beneath the Select Certificate File button.

  5. Click Upload.

    The system performs validation checks on the end entity certificate. If the certificate passes the validation checks and upload is successful, the file name turns green.

    img

  6. Click Close.

    After the certificate is successfully uploaded, on the End Entity Certificates dialog box the Issuer column contains the common name, the Expiration date column shows when the certificate expires, and the link in the CSR / Certificate column changes from View CSR to View Certificate. Click View Certificate to view the certificate.

End Entity Certificate Validation at the Time of Upload

This upload process occurs at least once for the Orchestrator and at least once for each EdgeConnect appliance. At the time of uploading an end entity certificate, the following validation checks occur. If any of these validations fail, upload of the end entity certificate fails.

  • Revocation Status: Online Certificate Status Protocol (OCSP) is run by Orchestrator and EdgeConnect to verify that the intermediate CA certificates and end entity certificate are not revoked using the OCSP URLs present in each of these certificates. OCSP exception checking includes the following:

    • If communication cannot be established with the OCSP server, then the revocation check is ignored.

    • Nonce check:

      • If the OCSP server does not return a nonce, then the nonce test is ignored, and the revocation check continues.

      • If the OCSP server returns a nonce that does not match the nonce in the OCSP request, then the revocation check fails, and the end entity certificate is rejected.

      • If the OCSP server returns a nonce that matches the nonce in the OCSP request, then the revocation check continues.

    • If the OCSP response does not contain a status for the certificate that was requested, then the revocation check fails, and the end entity certificate is rejected.

    • If the OCSP response is not signed by the CA that issued the certificate or signed by an OCSP responder delegated by the CA (the delegated responder should have a valid certificate signed by the CA containing the OCSP signing purpose), then the revocation check fails, and the end entity certificate is rejected.

    • This update: If the OCSP response for “this update” is in the future, then the revocation check fails, and the end entity certificate is rejected.

    • Next update: If the OCSP response for “next update” is in the past, then the revocation check fails, and the end entity certificate is rejected.

    After completion of all the above checks, and if the OCSP response was valid, revocation status itself is determined and is assigned one of these values: good, revoked, or unknown. The certificate is accepted for “good” or “unknown” statuses. If the revocation status is “revoked” the certificate is rejected.

  • Expiry Status: Each certificate in the chain is verified as not expired.

  • Issuer Sequence Check: The signed end entity certificate that is being uploaded must contain the entire certificate chain and it must be contained in a single file. The system verifies that the end entity certificate chain comes first, followed by the intermediate CA certificate, and finally the root CA certificate.

  • Digital Signature Validation: The digital signature for each certificate in the chain is validated.

  • Check for CA Certificates in Custom CA Certificate Trust Store:

    • If the signed end entity certificate is for use with Orchestrator, Orchestrator checks that the root CA certificate in the end entity certificate chain is present in the Orchestrator Custom CA Certificate Trust Store.

    • If the signed end entity certificate is for use with an EdgeConnect appliance, that specific EdgeConnect checks that the intermediate CA and root CA certificates in the end entity certificate chain are present in the EdgeConnect Custom CA Certificate Trust Store.

  • Subject Name Comparison: The subject name (common name, organization name, organization unit name, locality, state, and country) in the CSR is compared to and must match the subject name in the signed certificate.

  • Subject Alternative Name Comparison: Checks that the subject alternative names in the CSR are present in the signed certificate.

  • Key Correspondence: At the time that the CSR is generated it contains only the public key; the private key is stored only on this specific EdgeConnect appliance. When the signed certificate is uploaded, it contains the public key from the CSR. The EdgeConnect appliance validates that the public key in the certificate mathematically corresponds to the private key it has stored (the EdgeConnect does not store the public key).

NOTE: If upload of the end entity certificate fails, navigate to Orchestrator > Orchestrator Server > Tools > Audit Logs and enter “end entity” in the Search field. In the search results, look for entries with “end entity upload action” in the Action field and find the recent failed upload, which will show “Failed” in the Success column. Hover over the Results column for additional information.

Certificate Expiry Checking

Once per day the expiry date is checked on all certificates (CA, intermediate, and end entity). If the expiration date is within 60 days an alarm occurs; this alarm persists if the user does not clear it. If the expiration date has passed, an alarm occurs indicating that the certificate is expired. Certificate expiry happens whether Common Criteria mode is enabled or not.

Use the End Entity Certificate for a Service

After you have obtained a signed end entity certificate and uploaded it, you can use it for one of the following services.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America