Certificates¶
In this page you find:
The Certificates page allows the management of the certificates that are needed by the various OpenVPN server instances running on the 4i Edge X and is composed of four pages: Certificates, Certificate Authority, Revoked Certificates, and Certificate Revocation List.
Certificates¶
Here it is possible to manage all the certificates stored on the 4i Edge X. The table, initially empty, shows all certificates along with the following details, one per each column:
Name. The name assigned to the certificate.
Subject. The collection of information that identify the certificate. itself. See the options below.
CA. The Certificate Authority used to generate the certificate.
Expiration Date. The final date of validity of the certificate.
Actions. What actions can be done on the certificate.
At the bottom of the table, on the left-hand side there is a navigation widget, that allows to navigate among the various pages composing the table, if there are many certificates, whereas on the right-hand side there is a reload widget, used to refresh the list of certificates.
Above the list, click on the
button to create a new certificate. Upon clicking, the page will be replaced by a form that allows to provide all data necessary to the generation of a new certificate.Add new certificate
The following options are available to add a new certificate to the 4i Edge X.
- Action
Select from this drop-down menu the method to add a certificate to the 4i Edge X. The next options will change, depending on the choice made here.
Generate a new certificate
The first alternative allows to create a new certificate directly on the 4i Edge X, by providing the following information. The capital letters in parentheses show the field of the certificate that will be filled by the value supplied and form the Subject of the certificate.
Note
A Root Certificate Authority is needed to create certificates, so create the Root CA before creating certificates.
- Common name
The common name (CN) of the certificate’s owner, i.e., the name with which the owner will be identified.
- Email address
The e-mail address of the certificate’s owner.
- Subject Alternative Name
The alternative name for the subject, which allows a single certificate to be associated to multiple domains or resources. The available options are:
DNS. The DNS entry of the site.
IP. The IP address of the site.
email. An email address.
The actual value for each option must be written in the textbox on the right-hand side.
Hint
To add more alternative names, click on the
button.- Organizational unit name
The Organisation Unit (OU) to which the owner belongs to, i.e., the company, enterprise, or institution department identified with the certificate.
- Organization name
The organisation (O) to which the owner belongs to.
- City
The city (L) in which the organisation is located.
- State or province
The state or province (ST) in which the organisation is located.
- Country
The Country (C) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.
- Certificate type
The type of the certificate, chosen between Client and :strong:Server from the drop-down menu.
- Validity (days)
The number of days before the certificate expires.
- PKCS12 file password
The password for the certificate, if needed.
- PKCS12 file password Confirmation
Type once more the certificate’s password for confirmation.
- Certificate digest algorithm
Choose from the drop-down menu the algorithm to be used to generate the certificate.
New in version 5.0.
- Certificate key size
Choose from the drop-down menu the size of the key (in bits) used to generate the certificate.
New in version 5.0.
Generate a Let’s Encrypt certificate
New in version 5.1.
This methods uses the Let’s Encrypt service’s API to generate a new certificate.
The options available for this type of certificate are the same available to Generate a new certificate, except that a few options are not present, because they come predefined values, namely:
the Certificate type, which is always of type Server,
the Validity, which is 90 day;
the Certificate digest algorithm, Sha256 is used;
the Certificate key size, 2048 bits.
See also
A guide to the creation of a Let’s Encrypt certificate, along with requirements and troubleshooting is available in Endian’s help portal: https://help.endian.com/hc/en-us/articles/360011418094
Upload a certificate
In this alternative, upload an existing certificate from the local workstation to the 4i Edge X.
- Certificate (PKCS12/PEM)
By clicking on the
button or on the textfield, a file chooser will open, in which to supply the path to the certificate to be uploaded.- PKCS12 file password
The password for the certificate, if needed. Tick the checkbox on the right-hand side to show the password’s characters.
Upload a certificate signing request
This method requires to upload a CSR from the local workstation to the 4i Edge X, i.e., an encrypted text file containing all necessary information to generate a new certificate, recognised by the server.
- Certificate Signing Request (CSR)
By clicking on the
button or on the textfield, a file chooser will open, in which to supply the path to the CSR to be uploaded.- Validity (days)
How many days the certificate is valid.
Certificate Authority¶
This page allows to manage the CA, needed for the correct set up of the whole certificate infrastructure. Root and host certificates are usually generated automatically during the installation, but there is the option to upload a new CA by using the buttons below the table, for example to integrate the 4i Edge X under an existing enterprise CA. There is also the option to manually generate new root/host certificates, see next section.
The table, once populated, shows the same information as in the Certificates page, with the only difference in the Actions available.
- Upload CA certificate
By clicking on the
button, a file chooser will open, in which to supply the path to the certificate to be uploaded. Once chosen, a click on the will complete the upload process.
Generate new root/host certificates¶
This procedure can be applied only once when setting up for the first time the PKI infrastructure and it will generate two certificates: A root certificate authority and a host certificate; the latter will appear in the Certificates page. When clicking on the link, a form will replace the list, in which to supply the following data, that will be used in the new root and host certificates.
Note
The only way to generate a new root certificate is to delete the existing one from the command line.
- System fully qualified domain name or IP address
The name of the system, that will be used as the certificate’s Common Name.
- Email address
The e-mail address of the system’s owner or responsible.
Subject Alternative Name
The alternative name for the subject, which allows a single certificate to be associated to multiple domains or resources. The available options are:
DNS. The DNS entry of the site.
IP. The IP address of the site.
email. An email address.
The actual value for each option must be written in the textbox on the right-hand side.
Hint
To add more alternative names, click on the
button.
- Organizational unit name
The Organisation Unit (OU) to which the system belongs to.
- Organization name
The organisation (O) to which the system belongs to.
- City
The city (L) in which the organisation is located.
- State or province
The state or province (ST) in which the organisation is located.
- Country
The Country (C) in which the organisation is located, chosen from those in the selection menu. By typing one or more letters, matching countries are searched for and displayed.
- Validity (days)
The number of days before the certificate expires.
- Certificate digest algorithm
Choose from the drop-down menu the algorithm to be used to generate the certificate.
- Certificate key size
Choose from the drop-down menu the size of the key (in bits) used to generate the certificate.
Revoked Certificates¶
The certificates that have been revoked are listed in the table, that show the serial number and the subject of the certificate.
- Download the Certificate Revocation List
A click on this link will allow to download the on a local workstation the Certificate Revocation List.
Certificate Revocation List¶
In this page can be managed all the Certificate Revocation lists that have been uploaded.
The table shows all the Certificate Revocation Lists and for each item in the table are show the name of the certificate, the issuer, the issued date, and the available actions.
It is possible to upload a certificate Revocation List by clicking on the
button to search for it on the local workstation, then on the button to finalise the process.