Certificate generation in Linux using OpenSSL

Example of certificate generation in Linux OS using the OpenSSL library based on a self-signed root certificate.

Actions on the VPN Server Side

  1. Create the self-signed root certificate (rootCA).

$ openssl genrsa -aes256 -passout pass:1234 -out rootCA.key 4096 $ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/C=AR/ST=UAE/L=Dubai/O=UserGate/OU=QA/CN=QA"

here: rootCA.pem --- root certificate.

Verify that the certificate is a root certificate (the output should include the following line: CA:TRUE):

$ openssl x509 -in rootCA.pem -text

  1. Create a VPN server certificate based on the root certificate.

  • Requirements: key usage: server auth

  • Specify subjectAltName which is the same as the DNS name of the VPN server.

$ openssl genrsa -aes256 -passout pass:1234 -out server.pass.key 4096 $ openssl rsa -passin pass:1234 -in server.pass.key -out server-key.pem

here: server-key.pem --- private key.

To generate a request for issuing the certificate, create the openssl-server.cnf file containing data for certificate request: Example of file with data:

[ req ] prompt = no days = 365 req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] C = AR ST = UAE L = Dubai O = ep.local OU = ep.local CN = vpnserver.ep.local #vpn server dns name emailAddress = mail1@ep.local [ v3_req ] keyUsage = critical, digitalSignature extendedKeyUsage = serverAuth subjectAltName = @sans [ sans ] DNS.0 = vpnserver.ep.local # dns name vpn-сервера

Create a request for issuing the certificate using data from the openssl-server.cnf file above. At this point the "Subject" section of the certificate is filled:

$ openssl req -new -key server-key.pem -out server.csr -config openssl-server.cnf

Sign the request using the root certificate. At this point the "X509v3 extentions" section of the certificate is filled:

$ openssl x509 -CAcreateserial -req -extfile openssl-server.cnf -extensions v3_req -days 365 -in server.csr -CA rootCA.pem -CAkey rootCA.key -out server-cert.pem

where: server-cert.pem is the VPN server certificate.

  1. Import the VPN server certificate in the NGFW admin console which acts as a VPN server. To do that, go to the UserGate ➜ Certificates section and click Import. In the pop-up window specify the name of the certificate and add the generated files for the VPN server certificate (sever-cert.pem) and the private key (server-key.pem).

  2. Import the root certificate in the NGFW admin console which acts as a VPN server. To do that, go to the UserGate ➜ Certificates section and click Import. In the pop-up window specify the name of the certificate and add the generated self-signed root certificate (rootCA.pem) without the private key.

  3. Create a client certificate profile in the NGFW admin console which acts as a VPN server. To do that, go to the UserGate ➜ Client certificate profiles section and click the Add button. In the opened window specify the name of the profile, add the root certificate which was imported on the previous step and select the authorization field Commоn-name or Subject alt name to get the username.

  4. When setting VPN you will need to create a VPN security profile. Multiple security profiles may be used for connecting to different client types. To create a VPN security profile in the NGFW admin console which acts as a VPN server, go to the VPN ➜ Server security profiles section and click the Add button. In the pop-up window specify the necessary security profile parameters (for more details, see VPN settings). If the VPN is created using IKEv2 protocol, specify the VPN server certificate imported at step 3. Also add the user certificate profile created at step 5 if PKI authentication mode is used.

Actions on the VPN Client Side

  1. Create the VPN client certificate.

To generate a request for issuing the VPN client certificate, create the openssl-client.cnf file containing data for certificate request: Example of file with data:

[ req ] prompt = no days = 365 req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] C = AR # optional parameter ST = UAE # optional parameter L = Dubai # optional parameter O = ep.local # domain name, optional parameter OU = ep.local # domain name, optional parameter CN = u1 # Required # ID of the user to whom the certificate is issued # Can be the account under which the connection to the VPN server will be established. [ v3_req ] keyUsage = critical, digitalSignature extendedKeyUsage = clientAuth subjectAltName = otherName:msUPN;UTF8:u1@ep.local # The user under whose account the connection to the VPN server will be established.

The subjectAltName is used when the username in the user certificate profile is equal to Subject alt name.

Generate the private key for the VPN client:

$ openssl genrsa -aes256 -passout pass:1234 -out client.pass.key 4096 # password generation $ openssl rsa -passin pass:1234 -in client.pass.key -out client-key.pem # key generation

Create a request for issuing the certificate using data from the openssl-client.cnf file above and sign it using the root certificate:

$ openssl req -new -key client-key.pem -out client.csr -config openssl-client.cnf $ openssl x509 -CAcreateserial -req -extfile openssl-client.cnf -extensions v3_req -days 365 -in client.csr -CA ../rootCA.pem -CAkey ../rootCA.key -out client-cert.crt

  1. Create the client.pfx file containing the private key and the user certificate. This file will be used by Windows clients in the Remote Access VPN scenario. This file is loaded in Windows and used to connect to the VPN.

$ openssl pkcs12 -export -passout pass:1234 -out client.pfx -inkey client-key.pem -in client-cert.crt

  1. Import the client.pfx file into Windows and place it in the repository Local computer, storage - Automatically select storage, by default it will go to Personal.

  2. To use the client certificate at the node (VPN client) in the Site-to-Site VPN with IKEv2 scenario, it is necessary to import the created VPN client certificate. To do that, in the NGFW admin console acting as a VPN client, go to the UserGate ➜ Certificates section and click Import. In the pop-up window specify the name of the certificate and add the generated files for the VPN client certificate (client-cert.crt) and the private key (client-key.pem). Next when creating a VPN security profile at the stage of VPN configuration go to the VPN ➜ Client Security Profiles and click the Add button. In the pop-up window specify the necessary security profile parameters (for more details, see VPN settings). If the VPN is created using IKEv2 protocol, specify the previously imported VPN client certificate in the "Client certificate" field.