4.5. Managing certificates

UserGate uses the secure HTTPS protocol for managing devices. It is able to intercept/decrypt transit SSL traffic (HTTPS, SMTPS, POP3S) and to authenticate administrators based on their certificates.

This UserGate functionality is based on SSL certificates:

Name

Description

Web console SSL certificate

This certificate is used by network administrators for establishing secure HTTPS connections with the UserGate web console.

Captive portal SSL certificate

This certificate ensures secure HTTPS connections to the login page of the Captive portal for users, display of the block page and logout page on the Captive portal, and the proper operation of FTP Proxy. This certificate must be issued with the following parameters:

  • Subject name --- provide the value configured for the Captive portal auth domain as set in General settings section

  • Alternative names --- provide all domains for which this certificate should be used as shown in General settings:
    - Captive portal auth domain
    - Captive portal logout domain
    - Block page domain
    - FTP over HTTP domain
    - Domain for web portal in web portal properties
By default, the system uses the certificate signed with an SSL inspection certificate that was issued for domain "auth.captive" with the following parameters:
- Subject name = auth.captive
- Alternative names = auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive

If administrator did not submit their own certificate for this role, then UserGate will automatically re-issue this certificate in case of any changes made by the system administrator to any domain listed in General settings (i.e. domains for auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive).

SSL decrypt certificate

This is CA class certificate. It is used for creating SSL certificates of Internet hosts for which the HTTPS, SMTPS, POP3S traffic should be decrypted. For example, when decrypting the HTTPS traffic from yahoo.com, the original certificate is issued by
Subject name = yahoo.com
Issuer name = VeriSign Class 3 Secure Server CA - G3
is replaced with
Subject name = yahoo.com
Issuer name = company name as specified on the certificate issued by the CA used in UserGate.

This certificate is also used for generating default certificates for the SSL Captive portal role.

SSL inspection intermediate CA

This certificate can be used in organizations where SSL inspection certificates are issued by a chain of certification authorities. Note that only public keys are required.

SSL inspection (root)

The root certificate in the certification authority chain that was used for issuing the SSL inspection certificate. Only the public key of the certificate is required for proper operation.

User certificate

The certificate assigned to a user by UserGate. A user can be either created locally or obtained from LDAP. The certificate can be utilized for user authentication when accessing published resources according to the Reverse proxy rules.

Web console auth CA

Certificate authority certificate for authenticating administrators to web console in x.509certificate auth mode. Administrators'' certificates must be signed with this certificate.

SAML server

The certificate is necessary for interaction between UserGate and the SSO SAML IDP server. For details on how to set up interaction between UserGate and the SAML IDP authentication server, please refer to the corresponding section of the Guide.

Web portal

The certificate used for the web portal. When this certificate is not specified explicitly, UserGate applies the certificate of the SSL Captive portal issued on the basis of the SSL inspection certificate. For more details on how to set up web portal, please refer to the corresponding section of the Guide.

Though you can create multiple certificates of the type "web console SSL", "Captive portal SSL certificate" and "SSL decrypt certificate", only one certificate of each type can be used at a time. The system can store multiple certification authority certificates for web console authentication and use any of them when checking authenticity of administrator certificates.

To create a new certificate, perform the following steps:

Name

Description

Step 1. Create a new certificate

Click Generate --> New certificate in the Certificates section.

Step 2. Fill in the necessary fields

Fill in the following mandatory fields:

  • Name - name of the certificate that will be shown in the list of certificates

  • Description - certificate's description

  • Country - specify the country in which you want to issue the certificate

  • Region or state - specify the region or state in which you want to issue the certificate

  • City - specify the city in which you want to issue the certificate

  • Company name - specify the name of the company for which you want to issue the certificate

  • Common name - specify the name of the certificate. For compatibility with most web browsers, it is recommended that you use only Latin letters

  • E-mail - specify the e-mail address of your company

Step 3. Set the type of created certificate

Once the certificate is created, you need to set its type or decide what the certificate's roles should be. Select the created certificate in the list and press the Edit button. Set the certificate's type ("web console SSL", "SSL inspection" or "web console auth CA"). If you selected "web console SSL", UserGate will restart the web console to apply the changes. The SSL inspection certificate will begin to work immediately. For more details about SSL decryption, please refer to SSL inspection.

In UserGate, you can export the internally created certificates or import certificates from other systems, e.g. from the trusted certification authority of your company.

To export a certificate, perform the following steps:

Name

Description

Step 1. Select a certificate for exporting

Select the desired certificate in the list of certificates.

Step 2. Export the selected certificate

Select the type of export:

  • Export certificate - exports certificate's public key in the PEM format without exporting the certificate's private key. Use this file to set a trusted root certificate on every workstation. For more details, please refer to Appendix 1: Installing a certificate issued by the local certification authority.

  • Export CSR - exports CSR of a certificate, e.g. in order to sign it in the certification authority.

Important! It is recommended that you save the certificate and its private key for backup purpose.

Important! For security reasons, UserGate does not allow exporting private keys of certificates.

Important! Users can download SSL decrypt certificate directly from UserGate from the link:
http:// UserGate_IP:8002/cps/ca

To import an existing certificate, you should have the certificate's public and optionally private key and then perform the following:

Name

Description

Step 1. Start the import

Click the Import button.

Step 2. Fill in the necessary fields

Fill in the following fields:

  • Name - name of the certificate as will be shown in the list of certificates

  • Description - certificate's description

  • Upload a file containing the certificate's data

  • Upload a file containing the certificate's private key