In this page you find:
The Certificates page allows the management of the certificates that are needed by the various OpenVPN server instances running on the Endian UTM Appliance and is composed of four tabs: Certificates, Certificate Authority, Revoked Certificates, and Certificate Revocation List.
Here it is possible to manage all the certificates stored on the Endian UTM Appliance. The table, initially empty, shows all certificates along with the following details, one per each column:
At the bottom of the table, on the left-hand side there is a navigation widget, that allows to navigate among the various pages composing the table, if there are many certificates, whereas on the right-hand side there is a reload widget, used to refresh the list of certificates.
Above the list, a link can be clicked to Add new certificate. Upon clicking, the page will be replaced by a form that allows to provide all data necessary to the generation of a new certificate. The following options are available.
The first alternative allows to create a new certificate directly on the Endian UTM Appliance, by providing the following information. The capital letters in parentheses show the field of the certificate that will be filled by the value supplied and form the Subject of the certificate.
Note
A Root Certificate Authority is needed to create certificates, so create the Root CA before creating certificates.
The alternative name for the subject, which allows a single certificate to be associated to multiple domains or resources. The available options are:
The actual value for each option must be written in the textbox on the right.
Changed in version 5.0: This option was called Subject alt name
Choose from the drop-down menu the algorithm to be used to generate the certificate.
New in version 5.0.
Choose from the drop-down menu the size of the key (in bits) used to generate the certificate.
New in version 5.0.
New in version 5.1.
This methods uses the Let’s Encrypt service’s API to generate a new certificate.
The options available for this type of certificate are the same for Generate a new certificate, except that a few options are not available, namely the Certificate type, which is always of type Server, the validity, which is 365 day, the Certificate digest algorithm, and certificate key size.
See also
A guide to the creation of a Let’s Encrypt certificate, along with requirements and troubleshooting is available in Endian’s help portal: https://help.endian.com/hc/en-us/articles/360011418094
In this alternative, upload an existing certificate from the local workstation to the Endian UTM Appliance.
This method requires to upload a CSR from the local workstation to the Endian UTM Appliance, i.e., an encrypted text file containing all necessary information to generate a new certificate, recognised by the server.
This page allows to manage the CA, needed for the correct set up of the whole certificate infrastructure. There are two ways to add a CA: Either by clicking on the Generate new root/host certificates link above the table of already existent certificates to generate a new certificate, or by uploading it using the buttons below the table.
The table, once populated, shows the same information as in the Certificates tab, with the only difference in the Actions available.
Instead of generating a new certificate authority, it is possible to upload an existent one.
This procedure can be applied only once when setting up for the first time the PKI infrastructure and it will generate two certificates: A root certificate authority and a host certificate; the latter will appear in the Certificates tab. When clicking on the link, a form will replace the list, in which to supply the following data, that will be used in the new root and host certificates.
Note
The only way to generate a new root certificate is to delete the existing one from the command line.
Choose from the drop-down menu the algorithm to be used to generate the certificate.
New in version 5.0.
Choose from the drop-down menu the size of the key (in bits) used to generate the certificate.
New in version 5.0.
The certificates that have been revoked are listed in the table, that show the serial number and the subject of the certificate.
In this page can be managed all the Certificate Revocation lists that have been uploaded.
The table shows all the Certificate Revocation Lists and for each item in the table are show the name of the certificate, the issuer, the issued date, and the available actions.
It is possible to upload a certificate Revocation List by clicking on the Browse… button to search for it on the local workstation, then on the Upload CA certificate button to finalise the process.