UserGate uses the secure HTTPS protocol for managing devices. It is able to intercept/decrypt transit SSL traffic (HTTPS, SMTPS, POP3S) and to authenticate administrators based on their certificates.
This UserGate functionality is based on SSL certificates:
|
Name |
Description |
|---|---|
|
Web console SSL certificate |
This certificate is used by network administrators for establishing secure HTTPS connections with the UserGate web console. |
|
Captive portal SSL certificate |
This certificate ensures secure HTTPS connections to the login page of the Captive portal for users, display of the block page and logout page on the Captive portal, and the proper operation of FTP Proxy. This certificate must be issued with the following parameters:
By default, the system uses the certificate signed with an SSL inspection certificate that was issued for domain "auth.captive" with the following parameters:
- Subject name = auth.captive
- Alternative names = auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive
If administrator did not submit their own certificate for this role, then UserGate will automatically re-issue this certificate in case of any changes made by the system administrator to any domain listed in General settings (i.e. domains for auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive). |
|
SSL decrypt certificate |
This is CA class certificate. It is used for creating SSL certificates of Internet hosts for which the HTTPS, SMTPS, POP3S traffic should be decrypted. For example, when decrypting the HTTPS traffic from yahoo.com, the original certificate is issued by
Subject name = yahoo.com
Issuer name = VeriSign Class 3 Secure Server CA - G3
is replaced with
Subject name = yahoo.com
Issuer name = company name as specified on the certificate issued by the CA used in UserGate.
This certificate is also used for generating default certificates for the SSL Captive portal role. |
|
SSL inspection intermediate CA |
This certificate can be used in organizations where SSL inspection certificates are issued by a chain of certification authorities. Note that only public keys are required. |
|
SSL inspection (root) |
The root certificate in the certification authority chain that was used for issuing the SSL inspection certificate. Only the public key of the certificate is required for proper operation. |
|
User certificate |
The certificate assigned to a user by UserGate. A user can be either created locally or obtained from LDAP. The certificate can be utilized for user authentication when accessing published resources according to the Reverse proxy rules. |
|
Web console auth CA |
Certificate authority certificate for authenticating administrators to web console in x.509certificate auth mode. Administrators'' certificates must be signed with this certificate. |
|
SAML server |
The certificate is necessary for interaction between UserGate and the SSO SAML IDP server. For details on how to set up interaction between UserGate and the SAML IDP authentication server, please refer to the corresponding section of the Guide. |
|
Web portal |
The certificate used for the web portal. When this certificate is not specified explicitly, UserGate applies the certificate of the SSL Captive portal issued on the basis of the SSL inspection certificate. For more details on how to set up web portal, please refer to the corresponding section of the Guide. |
Though you can create multiple certificates of the type "web console SSL", "Captive portal SSL certificate" and "SSL decrypt certificate", only one certificate of each type can be used at a time. The system can store multiple certification authority certificates for web console authentication and use any of them when checking authenticity of administrator certificates.
To create a new certificate, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a new certificate |
Click Generate --> New certificate in the Certificates section. |
|
Step 2. Fill in the necessary fields |
Fill in the following mandatory fields:
|
|
Step 3. Set the type of created certificate |
Once the certificate is created, you need to set its type or decide what the certificate's roles should be. Select the created certificate in the list and press the Edit button. Set the certificate's type ("web console SSL", "SSL inspection" or "web console auth CA"). If you selected "web console SSL", UserGate will restart the web console to apply the changes. The SSL inspection certificate will begin to work immediately. For more details about SSL decryption, please refer to SSL inspection. |
In UserGate, you can export the internally created certificates or import certificates from other systems, e.g. from the trusted certification authority of your company.
To export a certificate, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Select a certificate for exporting |
Select the desired certificate in the list of certificates. |
|
Step 2. Export the selected certificate |
Select the type of export:
|
Important! It is recommended that you save the certificate and its private key for backup purpose.
Important! For security reasons, UserGate does not allow exporting private keys of certificates.
To import an existing certificate, you should have the certificate's public and optionally private key and then perform the following:
|
Name |
Description |
|---|---|
|
Step 1. Start the import |
Click the Import button. |
|
Step 2. Fill in the necessary fields |
Fill in the following fields:
|