Follow

SSL VPN Overview and Certificate Management

A common need in a network is the ability to access company resources and data located at physically disparate sites. A further requirement to this access is that the lines of communication are private, secure, and reliable. Dedicated lines can be purchased to facilitate this need, though they are expensive and often limited in the role they can provide. Alternatively, a secure virtual private network (VPN) can be used over existing public lines such as the Internet while providing the aforementioned requirements of privacy, security, and reliability.

This document describes the process of configuring and installing a Secure Socket Layer (SSL) virtual private network (VPN) on an Ecessa device. Ecessa SSL VPN’s provide a complete network level secure VPN tunnel with authentication, encryption, and data integrity in an easy to configure and manage package. The rest of this document is separated into three sections: Choosing a Connection Type, Certificate Management, and Configuration.

Choosing a Connection Type

When installing a virtual private network (VPN) it is important to identify how it will be used. The Ecessa provides three configuration types:

  • Server

  • Point-to-Point

  • Client

A Server configuration is used when the addresses of the remote ends are unknown. This might commonly be referred to as remote access or a ‘road warrior’ type scenario with the connecting client being the ‘road warrior’; often using dynamic addressing for their public IP. A server configuration can globally and selectively push routing and addressing information to clients, granting access to internal resources on a per client basis.

Point-to-Point configurations define the complete addressing on both sides of the connection. Another name for this type of VPN is site-to-site or LAN-to-LAN VPN. An example of this type of configuration would be a remote office connecting to a central office. Both the remote and central office would have static IP addressing.

The client configuration is used when the Ecessa device will be used to connect to another Ecessa device running in server mode. This can be used in the above example with a single central office and multiple remote sites all connecting back to the central office. An advantage of this method is the need to setup fewer point-to-point connections at the central office.

After selecting the appropriate configuration that meets your needs the next step is to ensure that a certificate generation and management system is in place. The section Certificate Management can help to establish these requirements if they are not already in place. If a system for certificate generation and management is already in place configuration information can be found in the section: Configuration.

Certificate Management

Certificates play a crucial part in the authentication of VPN endpoints. It is important to have a system for certificate management in place before configuring an SSL VPN. The following sections outline two basic systems that are easy to use and can be extended to suit the needs of its implementer.

All certificate files, once generated, should remain in their default locations. When distributing PKCS12 files make a copy that will be given to the client or uploaded to the Ecessa device. Removing or deleting certificates from their default locations can make it impossible to later revoke the certificate.

Certificate Management Using Ecessa Self-CA

The following steps can be used to create a Self Signed Certificate Authority (CA) on the Ecessa device. This CA can then be used to generate certificates from the Ecessa devices Interface. Once these certificates are generated on the Ecessa device, the section Configuration will provide details on how these certificates can be used in an SSL VPN connection. It is important to read through and understand all of these steps before beginning this process.

Since the Ecessa device will be creating certificates it is very important that this device has the correct date.

  1. Log into the Ecessa device through HTTPS.

  2. Navigate to Configure Date & Time located under Basic Setup on the left hand menu.

  3. Verify that the Date, Time, and the Time Zone are correct.

Steps to create a Self Certificate Authority:

  1. Log into the Ecessa device through HTTPS.

  2. Navigate to Certificates located under Advanced Setup on the left hand menu.

  3. Switch to the Self CA/Certificates tab.

  4. Click Add Certificate Authority under the Self-Signed Certificate Authority Section.

  5. Fill in the fields on this page with the information that the Certificate Authority should have.

  6. Once all the settings have been filled in click Create CA.

Once the Certificate Authority (CA) has been generated the certificates can now be added. Click on the 'Name' of the CA to add certificates. Click 'Add' to see the following field boxes. When creating certificates there will be several fields that are required.

  • The Common Name is used to determine what user a certificate belongs to. In the Client Configuration the Common Name determines who the client is.

  • The Export Password is the password that will be required when the client Connects to a VPN Server. This is also the password that will be required when a certificate is uploaded to a device. The password must be at least 5 characters.

  • The Add to Main List check box sets whether this certificate will be used for a VPN connection on the box. Generally this is done for the Server Certificate on the Ecessa device.

Create the certificates:

  1. Switch to the 'Self CA/Certificates' tab.

  2. Click on the 'Name' of the CA to add certificates.

  3. Click 'Add' in the 'New Certificate Creation' section.

  4. Fill in the fields provided in the row.

  5. Once all the certificates have been added in the 'New Certificate Creation' section, click 'Create Self-Signed Certificates.'

Certificate Generation using OpenVPN’s Easy-RSA

The following steps can be used to create a Certificate Authority (CA) and generate self-signed Public-Key Cryptography Standards #12 (PKCS#12) certificate files for use in SSL VPN on an Ecessa device. These steps are derived from the following HOW-TO http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki on http://www.openvpn.net and are based from a Windows standpoint.

Once the appropriate certificates have been generated the section Configuration will provide details on how these certificates are used in an SSL VPN connection. It is important to read through and understand all of these steps including the notes at the end of the section before beginning this process.

  1. Download and install the latest community edition of OpenVPN found at http://www.openvpn.net/index.php/open-source/downloads.html. This package can also be used for Windows and Linux clients to connect to an SSL VPN server.

  2. After installation open a command prompt and navigate to the easy-rsa subdirectory

  3. Run the command init-config.bat. This command copies vars.bat.sample and openssl.cnf.sample to vars.bat and openssl.cnf

  4. Edit the file vars.bat. This file will set environment variables that will be used when creating certificates.

  5. Run the following commands

    • vars.bat

    • clean-all.bat

    • build-ca.bat

  1. The build-ca.bat script will ask a couple of questions that will be used for the Distinguished Name (DN) of the CA. An example question would be Country Name (2 letter code) [US]: with [US] being the default option taken from the environment variables set by running vars.bat.

  2. Once the CA is built signing certifica tes can begin. The CA will only need to be built once, however if you exit the command prompt vars.bat must run again before continuing with the following steps.

  3. Build your PKCS#12 files with the command build-key-pkcs12.bat <certificate_name> replacing <certificate_name> with the appropriate name of the certificate. Complete additional script questions and repeat this step for each certificate that needs to be created.Please note:

    • The following fields must match that of the CA: Country Name, State or Province, Locality Name and Organization Name. If you have ran vars.bat these should be the default options.

    • The Common Name field cannot be left blank and should be set to a value that makes sense for the certificate, for example server for the servers certificate or BobJohnson for the user BobJohnson.

    • Do not enter a value for the challenge password.

    • The Export password must be at least 5 characters in length. This export password must be used when uploading a certificate to an Ecessa device or when a client starts their VPN connection.

4. The created certificates will be placed in the keys\ directory and have an extension of .p12.

Certificate Revocation using OpenVPN’s Easy-RSA

The following steps can be used to revoke a certificate and generate an updated certificate revocation list (CRL). The generated file, crl.pem will be located in the keys directory. Whenever a certificate is revoked this new crl file must be uploaded to the Ecessa device.

  1. Open a command prompt and navigate to the easy-rsa directory.

  2. Set the needed environment variables by running the script vars.bat.

  3. Run revoke-full <certificate_name> replacing <certificate_name> with the name of the certificate to be revoked.

Uploading Certificates

The Ecessa device must have a certificate for the SSL VPN connection at a minimum. Additionally a certificate revocation list (CRL) may be uploaded to remove a certificates ability to authenticate and client certificates can be uploaded allowing the export of a zip or tar+gzip file containing the certificate and OpenVPN configuration file. The procedure for exporting the zip/tgz file can be found in ‘Configuration’ under ‘Client Configuration’. Certificates should be kept secure and it is recommended to use HTTPS when uploading certificates.

  1. Log into the Ecessa device through HTTPS.

  2. Navigate to Configure Certificates located under Advanced Setup in the left hand menu.

  3. Enter the name for the certificate under the Name: text entry field. This can be any combination of alpha-numeric characters, underscores, and dashes. The name chosen should be descriptive of its use as this name is for local use only.

  4. From the drop down list under Type: choose PKCS12 or CRL depending on the certificate to be uploaded.

  5. In the Password: text entry field enter the export password of the certificate. This is the password entered as the last input option of the build-key-pkcs12.bat command (see Certificate Generation Using OpenVPN’s Easy-RSA).

  6. Now select the appropriate certificate by browsing to the correct .p12 file. A browsing dialog box will popup allowing you to select this file when you click on the ‘choose file’ button.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.