Gateway Certificates

Overview of the Gateway Certificate Management Screen

The Gateway Certificate Management screen, accessed by navigating to Configuration > Gateway Certificates, is the main screen in which you manage certificate profiles, and invoke certificate management operations. The following figure shows the main elements of this screen:

• Certificate Profiles: filters the list to display only certificate profiles.
• Filter edit box: filters the list on part or all of a certificate name. For more information about searches see: Filter Box and Searching .
• Range dropdown: selects the date/time range to filter, based on the last date/time that certificate profiles were modified. Selecting an option from the dropdown will display a field where the range can be input.
• Search: filters the list by the platforms, filter, and range selected.
• Gateway: displays the name of the gateway containing the certificate profiles.
• Cert Profile Name: displays the name of a certificate profile on the gateway.
• Cert Usage: displays the certificate profile’s usage.
• Cert Common Name: displays the common name used in the certificate profile.
• CSR Status: displays the current status of the CSR.
• CSR Last Update: displays the date/time when the CSR was last updated.
• Cert Status: displays the current status of the certificate.
• Cert Last Update: displays the date/time when the certificate was last updated.
• Cert Expire Date: displays the date/time when the certificate expires.
• Generate CSR: generates new CSRs.
• Download CSR: downloads (generated) CSRs from gateways. Note that browser popups must be enabled for the download to work correctly.
• Upload Gateway Cert: uploads signed certificates to gateways.
• Sync Cert Status: forces the AMM to request the latest certificate request status for the selected gateway(s). Once obtained, the CSR Status column will be updated. This button can be useful for MG devices, where notifications are sometimes lost and the CSR Status column does not reflect the CSR’s true state as a result.
  
• Export to CSV: exports the information shown in the list to a .CSV file.
• Refresh: forces the screen to refresh.
• Autorefresh (clock icon): When enabled, the browser page is automatically updated (default is 30 seconds).

Requirements

Gateway Compatibility

The certificate management functionality is supported for the following platforms and software versions:

• MG90 devices running core version 4.3 or higher. Note that certificates and private keys can also be uploaded out-of-band (OOB) via the gateway’s LCI.

Note: ALEOS and oMG-2000 gateways continue to use ACEmanager and the LCI to upload signed certificates and private keys to gateways.

Out-of-band (OOB) Changes

A gateway’s LCI can be used to directly upload signed certificates and private keys, as well as delete certificate profiles and generate CSRs. Performing these operations via the LCI is said to be out-of-band or OOB, meaning the operations are done without the use of the AMM’s certificate management facilities.

When an OOB change is made, the gateway will notify the AMM. The AMM will then fetch the certificate from the gateway, extract its expiry day, and update the Cert Expire Date column on the Gateway Certificate Management screen.

For more information about how to do Out-of-band certificate changes, see the MG device’s user guide.

Certificate Management Workflow

1. Create certificate profiles using the Configuration Template wizard. A certificate profile specifies the information that will be used to generate a certificate signing request and ultimately a signed certificate for gateways.
2. Deploy those certificate profiles to the target gateways.
3. The AMM will then instruct the gateway(s) to generate certificate signing requests (CSRs).
4. Download the CSR(s) using the Gateway Certificate Management Screen.
5. Send the CSR(s) to your certificate authority and receive back the signed certificate(s).
6. Upload the signed certificate(s) to your gateway(s) using the AMM. The AMM does not support pfx/p12 formats which combine the signed certificate and private key in one unit, however the LCI does support these formats.

Note: after a certificate profile has been created and deployed to a gateway, the AMM tells the gateway to generate a CSR. At that time, the gateway will generate the private key and hide it. The CSR and signed certificate both contain the public part of the key.

Note: you can use the certificate profile to set up IPsec tunnels and Wi-Fi networks.

Creating and Deploying Certificate Profiles

Before you can use the Certificate Management functionality with gateways, you must first create and deploy a certificate profile to those gateways using the Configure Templates wizard:

1. Navigate to Configuration > Templates. For additional information see Configuration Templates.

2. Click Add. The Create Configuration Template popup appears:

3. Set the Platform to MG90 and the Target version to 4.3.x or higher , and click Next .

4. Expand the Advanced node in the building block tree:

5. Add the Certificate Management Specification building block and click Next .

6. Enter a Template Name in the General section:

7. Click the + button to add a Certificate Profile in the Certificate Management Specification section, and populate the certificate details . For information on selecting the correct algorithm, see: How to Select the Correct Key Algorithm in the Certificate Management Specification Building Block.

8. Click Submit . The wizard closes and the AMM returns back to the Configuration Templates screen.

9. Publish the template.

10. Select the target gateways in the Gateway tree, and deploy the template to those gateways.

Generating CSRs

There are three ways in which a CSR can be generated:

• During initial profile creation, the AMM automatically requests the CSR and makes it available for download.
• After modifying an existing certificate profile (e.g., the ECDSA/RSA key type, key length, common name, organization, location, etc.), the gateway generates a new private key and any existing signed certificate becomes invalid. In this case, the AMM automatically requests a new CSR and makes it available for download.
• Manually generate a CSR using the Generate CSR button on the Gateway Certificate Management screen as described below.

Manually Generating CSRs

When it comes time to renew the certificate, follow the steps below to generate a new CSR for download on a gateway:

1. Navigate to Configuration > Gateway Certificates.

2. Select the gateway(s) that should generate a CSR :

3. Make a note of which certificate profile should provide the information to use when generating the CSR . Note: the list of gateways shown is based on which gateways or groups of gateways are selected in the Gateway tree and those which have had a configuration profile assigned to them.

4. Click Generate CSR to display the Generate CSR popup.

5. Set the Profile to the certificate profile identified in step 3.

6. Click Generate . The popup will close and the CSR Status field on the Gateway Certificate Management screen will change to Generating.

7. Wait until the CSR status changes to Ready :

Note: the transition from Generating to Ready depends on the gateway’s online status. For example, if a gateway is powered off at the end of the current working day, then the CSR won’t be ready until the next working day when the gateway is switched on.

The CSR file(s) can now be downloaded.

Downloading CSRs from Gateways

After a CSR has been generated on a gateway, you can download it and send it to your certificate authority for signing:

1. Navigate to Configuration > Gateway Certificates.

2. Select the gateway from which the CSR should be downloaded. The certificate profiles on that gateway are listed in the Cert Profile Name column on the Gateway Certificate Management screen, along with their statuses in the CSR Status column :

3. Make a note of which certificate profile corresponds to the CSR that you want to download :

4. Click Download CSR . The Download CSR popup appears:

5. Set Profile to the certificate profile containing the CSR that you identified in step 3. Note that a CSR can be in the following states:

• Generating: the CSR has not been generated yet.
• Ready the CSR has been generated but has not been downloaded.
• Signing or Signed: the CSR has been downloaded.

Depending on the state of the CSR, the popup message may be one of the following :

• No CSR is available to download for profile X from your selected gateways. Note that in this case, the Download button will be disabled.
• New CSR(s) are available to download for profile X from your selected gateways.
• No new CSR(s) are available to download for profile X from your selected gateways. However, AMM found N CSR(s) previously downloaded and waiting to be signed. Click “Download” to download them again.
• AMM found N new CSR(s) and M CSR(s) waiting to be signed. Please choose which you would like to download. Note that in this case the Download button will be enabled and you must choose a profile that is in the Ready, Signing, or Signed state.

Note: If there are no CSRs available for the selected certificate profile, the popup will display the message No CSR available to download for profile ECDSA_K512 from your selected gateways and the Download button will be disabled.

7. Click Download . A .zip file is downloaded to your local machine containing the CSR file(s) that you will send to your certificate authority. Note that if you selected a group or multiple gateways in the Gateway Tree, then the zip file will contain multiple CSRs.

Note: browser popups must be enabled in your web browser for the download to work.

8. Unzip the downloaded file and send the CSR to your certificate authority.

Uploading Gateway Certificates

After you have received your signed certificates from your certificate authority, you can upload them to the gateway(s) via the AMM:

1. Zip the signed certificate (.pem) files. If you have received multiple certificates, they can all be placed in the same .zip file.
   
2. Navigate to Configuration > Gateway Certificates.
3. Click Upload Gateway Cert.
4. Click Select a file on the Upload popup and select the .zip file that was prepared in step 1. Note that since the original CSRs were handled by the AMM, the AMM automatically knows which gateways to upload the certificates to.
5. Wait for the file upload process to complete.

If the contents of the certificate(s) in the .zip package are incorrect, the following message will be displayed: The following uploaded certificate files failed to be distributed. The AMM will also notify you if there are abnormalities found between the signed certificate and the gateway’s certificate profile (e.g., no match found, bad validation or expiry dates, unrecognized file format, etc.).

Note: the AMM only keeps one CSR and one certificate for each certificate profile. The latest pair that were uploaded via the AMM or gateway’s LCI will overwrite the previous one.

Updating Certificate Profiles

Modifying any fields of an existing certificate profile (which is accomplished via a Configuration Template) will invalidate the CSR and certificate in the profile. Therefore, a new CSR must be generated and sent to the certificate authority; the signed certificate received back from the authority must then be uploaded to the gateway.

Uploading Root CA and Server Certificates

You can upload the following additional types of certificates for a VPN IPsec tunnel or Wi-Fi network using the Server Certificates building block:

• root CA certificates (e.g., certificates from Verisign, Comodo, Entrust, etc.) that have a trusted chain of signing authorities.
• server certificates where the peer must present an identical, matching certificate.
  

Note: Since gateways have limited storage space and CPU power, they should only be using a few root certificates (with the provision to use self-signed certificates) to validate a connecting peer, and should not use the standard CA-certificate bundle maintained by Mozilla which contains over 3000 root certificates. If provided with a CA certificate, a gateway will use the CA cert to validate an IPSec tunnel peer (i.e., an ACM), and/or a Wi-Fi EAP TLS server for Wi-Fi networks.

Follow the steps below to upload a root CA or server certificate for a VPN IPsec tunnel. Note that the steps to upload a root CA or server certificate for a Wi-Fi network will be similar.

1. Navigate to Configuration > Templates. For additional information see Configuration Templates.

2. Click Add. The Create Configuration Template popup appears.

3. Set the Platform to MG90 and the Target version to 4.3.x or higher, and click Next .

4. Expand the Advanced node in the building block tree.

5. Add the Server Certificates and VPN Specification building blocks and click Next.

6. Click the + button in the Server Certificates building block to display the Upload popup:

7. Click Select Files in the Upload popup to select the certificate:

8. Click the + button for VPN Profiles in the VPN Settings building block:

9. Set Type to IPsec.

10. Click the + button in the Authentication section of the VPN Settings building block:

11. Set Authentication Method to Certificate.

12. Enable CA Certificate File or Server Certificate File in the Certificate Settings section. The name of the certificate file uploaded in step 6 will appear for selection.

13. Enable and populate the Certificate Profile Name .

14. Click Submit. The wizard closes and the AMM returns back to the Configuration Templates screen.

15. Publish the template.

16. Select the target gateways in the Gateway tree, and deploy the template to those gateways.

Notes:

• The uploaded CA certificate file belongs to the template that contains the Server Certificates building block through which the file was uploaded. The uploaded certificate cannot be used by other templates.
• Only Wi-Fi networks and VPNs can use a CA certificate file, therefore you must include the Server Certificates building block if you want to deploy a CA certificate.
• Templates that do not have a Wi-Fi Network or VPN IPsec building block must not include the Server Certificates building block.

CSR Statuses

Depending on which certificate management operation is being performed, a certificate profile’s CSR status (indicated in the CSR Status column on the Gateway Certificate Management screen) can be in one of the following states:

• Initiated: the AMM is waiting for the gateway to come online before it can send the request to generate a CSR.
• Generating: the AMM has sent the request to the gateway to generate a CSR, and is waiting for the gateway to generate it.
• Ready: the AMM has received the CSR from the gateway and it is ready/available for download.
• Signing: the CSR has been downloaded by a user and the AMM is waiting for the signed certificate.
• Signed: the signed certificate has been uploaded to the AMM. The AMM is now waiting for the gateway to come online to push the certificate to that gateway and the Cert Status field will transition through the Certificate Statuses. The Signed state is the final state in the flow of CSR state transitions. Once this state has been reached, the CSR remains in this state regardless of whether the gateway is offline, has accepted the certificate, and/or has rejected the certificate. However, if you generate a new CSR, the state will transition back to Generating.
• Error: an error has occurred with the certificate profile during one of the certificate management operations.

Certificate Statuses

When a signed certificate is been deployed to a gateway, a certificate profile’s certificate status (indicated in the Cert Status column on the Gateway Certificate Management screen) will be in one of the following states:

• Waiting: the AMM has been provided with the signed certificate and is waiting for the gateway to come online.
• Deployed: the signed certificate has been pushed to the MG.
• Rejected: the MG sent a DELS event indicating that the certificate does not match the profile (e.g., after the CSR was generated, the common name was changed).
• Expired: the certificate has expired.
• Error: an error has occurred with the certificate profile during one the certificate management operations.