4.5. Certificate Management

UserGate uses the secure HTTPS protocol to manage the device. It can intercept and decrypt transit user traffic that uses SSL (HTTPS, SMTPS, POP3S) as well as authorize the administrators for web console access using their certificates.

To perform these functions, UserGate employs different types of certificates:

Name

Description

Web console SSL certificate

Used to create a secure HTTPS administrator connection to the UserGate web console.

Captive portal SSL certificate

Used to create a secure HTTPS user connection to the captive portal auth page, to display a block page or the captive portal's logout page, and to support FTP proxy operation. This certificate must be issued with the following parameters:

  • Subject name: the value set for the Captive portal auth domain defined on the General settings page.

  • Alternative names: include all domains for which this certificate is used as they are specified on the General settings page:

  • Captive portal Auth domain.

  • Captive portal Logout domain.

  • Block page domain.

  • FTP over HTTP domain.

  • Web portal domain specified in the web portal settings.

By default, a certificate for the auth.captive domain signed with an SSL inspection certificate is used with the following parameters:

  • Subject name = auth.captive

  • Alternative names = auth.captive, logout.captive, block.captive, ftpclient.captive, sslvpn.captive

If the administrator has not loaded their own certificate for this role, UserGate will automatically reissue this certificate when the administrator changes one of the domains on the General settings page (those used for auth.captive, logout.captive, block.captive, ftpclient.captive, and sslvpn.captive).

SSL inspection certificate

This is a CA class certificate used to generate SSL certificates for the Internet hosts whose HTTPS, SMTPS, or POP3S traffic is intercepted. For example, when the HTTPS traffic for yahoo.com is intercepted, the original certificate issued with

Subject name = yahoo.com

Issuer name = VeriSign Class 3 Secure Server CA - G3,

is substituted with

Subject name = yahoo.com

Issuer name = [company as stated in the CA certificate added to UserGate].

This certificate is also used to create the default certificate for the SSL captive portal role.

SSL inspection intermediate CA

An intermediate certificate in the CA chain used to issue the SSL inspection certificate. Only the public key is required for correct operation.

SSL inspection root CA

The root certificate in the CA chain used to issue the SSL inspection certificate. Only the public key is required for correct operation.

User certificate

The certificate assigned to a UserGate user. The user can be either added locally or imported from LDAP. The certificate can be used to authorize user access to the published resources using reverse proxy rules.

Web console certification chain

This is the CA used to authorize administrator access to the web console. For successful authorization, the administrator certificate must be signed with a certificate of this type.

SAML server

Supports UserGate operation in conjunction with a SSO SAML IDP server. For more details on configuring UserGate to work with a SAML IDP authorization server, see the relevant section of this Guide.

Web portal

The certificate used for the web portal. If not specified explicitly, UserGate will use the SSL captive portal certificate signed with the SSL inspection certificate. For more details on configuring the web portal, see the relevant section of this Guide.

There can be multiple SSL web console, SSL captive portal, and SSL inspection certificates, but only one certificate of each type may be active and used for the respective purposes. There can also be multiple web console authorization CA type certificates, and each of them can be used to verify the authenticity of administrator certificates.

To create a new certificate, follow these steps:

Task

Description

Step 1. Create a new certificate.

In the Certificates section, click Create.

Step 2. Fill in the relevant fields.

Provide values for these fields:

  • Name: the name under which the certificate will be displayed in the certificate list.

  • Description: a description of the certificate.

  • Country: the country where the certificate is being issued.

  • State or province name: the state or province where the certificate is being issued.

  • Locality name: the city or town where the certificate is being issued.

  • Organization name: the name of the organization to which the certificate is being issued.

  • Common name: the certificate name. To ensure compatibility with the majority of browsers, we recommend using only Latin characters.

  • Email: your company's email.

Step 3. Specify the purpose of the certificate.

After creating the certificate, specify its intended role in UserGate. To do this, select the relevant certificate in the certificate list, click Edit, and specify the type of the certificate (web console SSL, SSL inspection, web console authorization CA). If you have selected a web console SSL certificate, UserGate will reboot the web console service and prompt you to connect using the new certificate. An SSL inspection certificate starts working immediately after you have selected it. For more details on HTTPS traffic inspection, see the chapter SSL Inspection.

UserGate allows you to export certificates created there and import certificates created in other systems --- e.g., a certificate issued by a CA trusted by your organization.

To export a certificate, follow these steps:

Task

Description

Step 1. Select a certificate for export.

Select the desired certificate in the certificate list.

Step 2. Export the certificate.

Select the export type:

  • Export certificate: export certificate data in the .der format without exporting the certificate's private key. Use the exported SSL inspection certificate file to set it as the local CA on user computers. For more details on this, see Appendix 2. Installing local CA certificates.

  • Export CSR: export a CSR, e.g., to be signed by a CA.

Note

It is recommended to save the certificate to be able to restore it later.

Note

For security purposes, UserGate does not allow the export of private keys for certificates.

Note

Users can download a SSL inspection certificate for installation on their own computers from the UserGate server from a direct link:http://UserGate_IP:8002/cps/ca

To import a certificate, you need to have the certificate files (and, optionally, the private key for the certificate). If you have those, follow the steps below:

Task

Description

Step 1. Start the import procedure.

Click Import.

Step 2. Fill in the relevant fields.

Provide values for these fields:

  • Name: the name under which the certificate will be displayed in the certificate list.

  • Description: a description of the certificate.

  • Certificate file: upload the certificate data file.

  • Private key: upload the private key file for the certificate.

  • Passphrase: specify the private key passphrase (if required).

  • Certificate chain: a file containing the upstream CA certificates used in the creation of this certificate. This field is optional.