3.9. Certificates

3.9.1. Overview

The X.509 Standard

cOS Core supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this document to certificates mean X.509 certificates.

When distributed to another party, a certificate performs two functions:

  • It distributes the certificate owner's public key.

  • It establishes the certificate owner's identity.

A certificate acts as a digital proof of identity. It links an identity to a public key in order to establish whether a public key truly belongs to the supposed owner. By doing this, it prevents data transfer interception by a malicious third-party who might post a fake key with the name and user ID of an intended recipient.

Certificate Components

A certificate consists of the following:

  • A public key.

  • The "identity" of the user, such as name and user ID.

  • Digital signatures that verify that the information enclosed in the certificate has been verified by a CA.

By binding the above information together, a certificate is a public key with identification attached, coupled with a stamp of approval by a trusted party.

Certificates in the cOS Core Configuration

A certificate is defined in a configuration as a logical Certificate object. The corresponding key data files for each object are stored in the cOS Core folder called certificates. The key files for Certificate objects can either come from an external source or can be created internally by cOS Core.

There is a single predefined certificate object in all cOS Core configurations which is the self-signed certificate called HTTPSAdminCert and this is sent to a browser when opening a Web Interface management session using HTTPS. It is also used with SSL VPN.

A list of currently defined Certificate objects can be displayed using either the Web Interface or InControl or the CLI. To do this with the CLI, use the show command:

Device:/> show Certificate
			
   Name            Type   Comments
   --------------  -----  --------
   HTTPSAdminCert  Local  <empty>

To view the properties of this certificate in the CLI:

Device:/> show Certificate HTTPSAdminCert
			
         Property  Value           Remarks
-----------------  --------------  ---------
            Name:  HTTPSAdminCert
            Type:  Local
 CertificateData:  (binary data)
      PrivateKey:  (binary data)
       CRLChecks:  Enforced
CRLDistPointList:  <empty>
         PKAType:  RSA             Read-only
            IsCA:  No              Read-only
       Attribute:  <empty>
        Comments:  <empty>

[Note] Note: Certificate objects cannot be added using the CLI

The Add command cannot be used to create new certificate objects in the CLI. Instead, certificate key files are uploaded directly using the Web Interface or SCP and the upload action also creates the logical object. Alternatively, the Web Interface can be used to generate the logical object and the associated key files.

Certificate Object Properties

The key properties of a Certificate object are the following:

  • Type

    The Type property of a Certificate object can take one of the following values:

    1. Local

      This is the type for most certificates and means both the public key and the private key of the certificate is stored on the firewall.

      Local certificates can be signed or unsigned. They always consist of two files. A public key file with the filetype .cer and a private key file with the filetype .key.

    2. Remote

      This is the type for remote certificates which have the public key file residing locally in cOS Core and the private key file present on a CA server. Often, the certificate is a CA signed root certificate used to validate other certificates.

      These certificates consist of just a single public key file with a filetype of .cer.

    3. Request

      If a certificate object has been created through InControl and an outstanding certificate request has been generated then this is the type. This is explained further below.

  • CRL Checks

    The CRL Checks property of a Certificate object determines if the certificate revocation list (CRL) for the certificate is to be checked by cOS Core and what happens if the CRL cannot be retrieved to do the checking. The possible values for this property are the following:

    1. Enforced

      This is the default and means that the associated CRL must be checked before the certificate can be used for authentication. If the associated CRL cannot be retrieved, perhaps because a CA server is offline, then the certificate will be unusable and authentication will fail.

      If the certificate has no CRL associated with it then enforced checking is ignored. A self-signed certificate, such as the ones used for cOS Core management connections, do not have an associated CRL but will still have this default option selected. This is also true for any end-entity (host) certificates created using the certificate generation function in cOS Core.

    2. Conditional

      CRL checking will be performed by cOS Core provided any associated CRL is available. If the CRL cannot be accessed, perhaps because a CA server is offline, then the certificate will be used anyway.

    3. Disabled

      This causes all CRL checking to be disabled. The certificate will be used even if there is a CRL associated with it.

    Further discussion of CRLs can be found later in this section.

  • CRL Distribution Point List

    The CRL Distribution Point List property of a Certificate object can be set to a CRL Distribution Point List configuration object defined by the administrator. This can provide alternative means to perform CRL checking if it is enabled. Distribution points are described further in Section 3.9.3, CRL Distribution Point Lists.

Adding Certificates Objects to cOS Core

A Certificate configuration object is used for defining a logical certificate in cOS Core. When such an object is added, it acts as a holder for associated certificate files. Certificate files are associated with a certificate object in one of the following ways:

  • Import External Certificate Files

    Certificate files stored on the management computer's local hard disk are imported into cOS Core.

  • Create Certificates within cOS Core

    The Web Interface can be used to create all types of certificates within cOS Core. This is explained further in Section 3.9.5, Generating Certificates.

  • Using InControl

    InControl can be used to perform either of the following functions:

    1. Creating Self-signed Certificates

      InControl provides a way to create self-signed certificates. This duplicates the creation function in the Web Interface which is described above but provides more options.

    2. Creating Certificate Requests

      A certificate object can be created in InControl along with a certificate request. The request is then sent to a CA which returns the signed certificate file. The returned file is then imported through InControl into the certificate object to yield a CA signed certificate.

      Between creating the request and importing the signed certificate file, the certificate object has a Type set to the value Request.

    These functions are described in detail in an appendix of the separate InControl Administration Guide.

Certificate Authorities

A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by any third party.

A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.

Note that there is an article in the Clavister Knowledge Base that describes using CA certificates issued by commercial certificate authorities at the following link:

https://kb.clavister.com/346360399

Root Certificates and Host Certificates

If a certificate is used for authentication, then it can be referred to as a Host Certificate but is sometimes referred to in cOS Core as a Gateway Certificate. The certificate will consist physically of two files, a .cer file containing the public key and a .key file containing the private key. Both files must be loaded into cOS Core.

If the host certificate is CA signed then the Root Certificate provided by the signing CA will also need to be loaded into cOS Core. This is just a single .cer file containing the public key of the CA. Self-signed certificates will not have a corresponding root certificate.

Certificate Chains

A CA can also issue certificates to other CAs. This can lead to a chain-like certificate hierarchy. Each certificate in the chain is signed by the CA of the certificate directly above it in the chain. The certificates between the root and host certificates are called Intermediate Certificates and consist physically of a single .cer file containing a public key.

The Certification Path refers to the path of certificates leading from one certificate to another. When verifying the validity of a host certificate, the entire path from the host certificate up to the trusted root certificate has to be available. For this reason, all intermediate certificates between the root certificate and the host certificate must be loaded into cOS Core.

Chained certificates are supported in the following cOS Core features:

  • Access with HTTPS to the Web Interface.

  • IPsec VPN.

  • OneConnect.

  • The TLS ALG.

[Note] Note: Certificate Chains

When a file containing a certificate chain is uploaded (WebUI or SCP), each certificate will be saved as a separate certificate object in the key ring. The leaf certificate in the chain is identified by the name given to the certificate object, and the intermediate nodes are identified by the given name followed by "_C#" where the "#" is the certificate order in the chain counting from the leaf.

Example: WebServer, WebServer_C1, WebServer_C2.

Certificates with IPsec Tunnels

An important use of certificates in cOS Core is with IPsec tunnels. The simplest and fastest way to provide security between the ends of a tunnel is to use Pre-shared Keys (PSKs). As a VPN network grows, so does the complexity of using PSKs. Certificates provide a means to better manage security in much larger networks.

Note that in cOS Core IPsec VPN, the maximum length of a certificate chain is 4. In IPsec scenarios with roaming clients, the client's certificate will be at the bottom of the certificate chain.

Validity Time

A certificate is not valid forever. Each certificate contains values for two points in time between which the certificate is valid. When this validity period expires, the certificate can no longer be used and a new certificate must be issued.

[Important] Important: The system date and time must be correct

Make sure the cOS Core system date and time are set correctly when using certificates. Problems with certificates, for example in VPN tunnel establishment, can be due to an incorrect system date or time.

The Certificate Cache

cOS Core maintains a Certificate Cache in local memory which provides processing speed enhancement when certificates are being used by IPsec tunnels.

The certificate cache is only used when certificate based IPsec tunnels are opened. The current contents can be examined with the CLI command certcache with no parameters or with the -verbose option:

Device:/> certcache -verbose

When updating certificates it can be advisable to empty the cache if an older copy might be found there. The certificate cache can be emptied in one of the following ways:

  • The -flush option can be used with the certcache command:

    Device:/> certcache -flush

    This will only remove entries which are not currently in use by an IPsec tunnel.

  • cOS Core is restarted. This will completely clear the cache and can be performed using the following CLI command:

    Device:/> shutdown

Certificate Revocation Lists (CRLs)

A Certificate Revocation List (CRL) contains a list of all certificates that have been canceled before their expiration date. They are normally held on an external server which is accessed to determine if the certificate is still valid. The CRL is downloaded from the server and cOS Core performs the validation of the certificate against the list. The ability to validate a user certificate in this way is a key reason why certificate security simplifies the administration of large user communities.

CRLs are published on servers that all certificate users can access, using either the LDAP or HTTP protocols. Revocation can happen for several reasons. One reason could be that the keys of the certificate have been compromised in some way, or perhaps that the owner of the certificate has lost the rights to authenticate using that certificate, perhaps because they have left the company. Whatever the reason, server CRLs can be updated to change the validity of one or many certificates.

Certificates will usually contain a CRL Distribution Point (CDP) field, which specifies one or more URLs with which the relevant CRL can be downloaded. In some cases, a certificate may not contain this field and the location of the CRL has to be configured manually. In cOS Core this is done by specifying a CRL Distribution Point List object and associating this with the certificate in the configuration. This is explained further in Section 3.9.3, CRL Distribution Point Lists.

A CA usually updates its CRL at a given interval. The length of this interval depends on how the CA is configured. Typically, this is somewhere between an hour to several days.

For cOS Core to check the CRL for a given certificate it may need access to an external CA server. Allowing this access is discussed in detail in Section 3.9.4, CA Server Access.

Trusting Certificates

When using certificates, cOS Core will trust a party whose certificate is signed by a given CA. Before a certificate is accepted, the following steps are taken to verify the validity of the certificate:

  • Construct a certification path up to the trusted root CA.

  • Verify the signatures of all certificates in the certification path.

  • Fetch the CRL for each certificate to verify that none of the certificates have been revoked.

ID Lists

In addition to verifying the signatures of certificates, cOS Core can also use an ID list object when authenticating a connecting IPsec client. An ID list contains all IDs that are allowed access through a specific IPsec tunnel. An ID is sent by the peer during the IKE negotiation and if a matching tunnel is found with this remote ID, authentication is then performed by checking to see if the certificate sent by the client contains that ID.

Using IPsec ID lists with certificates is described further in Section 10.3.18, Using ID Lists with Certificates.

Reusing Root Certificates

In cOS Core, root certificates should be seen as global entities that can be reused between VPN tunnels. Even though a root certificate is associated with one VPN tunnel in cOS Core, it can still be reused with any number of other, different VPN tunnels.

Other Considerations

A number of other factors should be kept in mind when using certificates:

  • If Certificate Revocation Lists (CRLs) are used then the CRL distribution point is defined as an FQDN (for example, caserver.example.com) which must be resolved to an IP address using a public DNS server. At least one DNS server that can resolve this FQDN should therefore be defined in cOS Core.

    The CRL distribution point can be contained in the certificate but cOS Core provides the ability to associate alternative CRL distribution points with a certificate. This is described further in Section 3.9.3, CRL Distribution Point Lists.

  • Do not get the Host Certificate files and Root Certificate files mixed up. Although it is not possible to use a Host Certificate in cOS Core as a Root Certificate, it is possible to accidentally use a Host Certificate as a Root Certificate.

  • Host certificates have two files associated with them and these have the filetypes .key file and .cer. The filename of these files must be the same for cOS Core to be able to use them. For example, if the certificate is called my_cert then the files my_cert.key and my_cert.cer.

3.9.2. Uploading and Using Certificates

Certificate File Uploading

Certificate files can be uploaded to cOS Core in one of two ways:

  • Upload using Secure Copy (SCP).

  • Upload through the Web Interface or InControl.

For certificate files containing more than one certificate (certificate chains), see the note located here.

SCP Uploading of Certificate Files to cOS Core

The following example command lines show how a typical SCP command utility might upload a certificate consisting of the two files called cert-1.cer and cert-1.key. It is assumed that the firewall which has the management IP address 192.168.3.1:
 > scp C:\cert-1.cer admin@192.168.3.1:certificate/my_cert
 > scp C:\cert-1.key admin@192.168.3.1:certificate/my_cert
The certificate object name in cOS Core is my_cert for the certificate and this is how it is referenced by other objects in the configuration.

All certificate uploads should be followed by the configuration being activated since it has been changed with new objects.

Graphical Interface Uploading

This example covers importing certificate files with the Web Interface or InControl.

As mentioned earlier, there can be one or two files to upload depending on the certificate type:

  • Local Certificates

    These certificates consist of both a public key .cer file and a private key file with the filetype .key.

  • Remote Certificates

    A Remote Certificate is issued by a CA authority and consists of just a single file with a filetype of .cer and this is the public key. The private key is kept on the CA server. The cOS Core upload procedure consists of uploading this one file.

Example 3.52. Uploading a Certificate with the Web Interface or InControl

In this example, one or more certificate files stored on the management computer's disk are to be uploaded.

InControl

  1. Go to: Objects > General > Key Ring > Add > Certificate
  2. Specify a suitable name for the certificate, for example my_cert
  3. Select Upload as the source
  4. Select Browse
  5. Use the file chooser to select a certificate file and any related private key file.
  6. Click OK

Web Interface

  1. Go to: Objects > Key Ring > Add > Certificate
  2. Specify a suitable name for the certificate, for example my_cert
  3. Select the option Upload (this is the default)
  4. Use the Certificate file chooser to select a local public key .cerfile.
  5. If the certificate is local, use the Private Key file chooser to select the private key certificate file.
  6. Click OK

Using Uploaded Certificates

Once certificates are uploaded, they are stored in non-volatile cOS Core "disk" memory. To be used they must be explicitly associated with a configuration object. For example, an IPsec tunnel object that uses certificates must be assigned a Gateway and Root certificate.

Example 3.53. Associating Certificates with IPsec Tunnels

To associate an imported certificate with an IPsec tunnel.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

  1. Go to: Network > Interfaces and VPN > IPsec
  2. Display the properties of the IPsec tunnel
  3. Select Authentication
  4. Select the X509 Certificate option
  5. Select the correct Gateway and Root certificates
  6. Click OK

3.9.3. CRL Distribution Point Lists

cOS Core allows the administrator to define one or more cOS Core CRL Distribution Point List (CDPL) objects. Each list is composed of one or more entries, each entry specifying the URL of a server that can provide a Certificate Revocation List (CRL) to cOS Core for validating the certificate.

To use CDPLs in cOS Core, the following steps are used:

  1. Load certificates into cOS Core.

  2. Define a CRL Distribution Point List.

  3. Associate the CRL Distribution Point List with a certificate.

Once the association is made between a certificate and a CDPL, all CRL lookups for that certificate are done using the entries in the associated CDPL. The first entry in the associated list is tried first and if that fails the second is tried, and so on. It does not matter if the certificate has its own embedded CDPL or not, the CDPL associated with it in cOS Core will always be used.

In the case of a certificate chain, only the certificate at the top of the chain needs to associated with the CDPL defined in cOS Core. This CDPL will then take precedence over any CDPL embedded in the top level certificate or any certificate at a lower level of the chain.

By forcing certificates to use the CDPL defined by the administrator instead of any CRL embedded in the certificate, the administrator can ensure access to a functioning and accessible CA server.

Example 3.54. CRL Distribution Point List

This example creates a CDPL object called my_cdpl and associates it with a certificate called my_cert with a single URL of http://crls.example.com. It is assumed that my_cert has already been uploaded into cOS Core.

The CRL checks property for the certificate will be left as the default value of Enforced which means that a CRL check against the list retrieved from the http://crls.example.com server will always be done.

Command-Line Interface

A. Configure the distribution point list:

First, add the distribution point list:

Device:/> add CRLDistPointList my_cdpl

Next, change the CLI context to be the list:

Device:/> cc CRLDistPointList my_cdpl

Then add the distribution point to the list:

Device:/my_cdpl> add CRLDistPoint URL=http://crls.example.com

Finally, change the CLI context back to the default:

Device:/my_cdpl> cc
Device:/> 

B. Associate the distribution point list with the certificate:

Device:/> set Certificate my_cert CRLDistPointList=my_cdpl

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Configure the distribution point list:

  1. Go to: Objects > CRL Distribution Point Lists
  2. Select Add > CRL Distribution Point List
  3. For Name enter my_cdpl
  4. Select CRL Distribution Points
  5. Select Add
  6. For URL enter http://crls.example.com
  7. Click OK to save the distribution point
  8. Click OK to save the distribution point list

B. Associate the distribution point list with the certificate:

  1. Go to: Objects > Key Ring
  2. Select the certificate my_cert
  3. Set the Manual CRL dist. points property to be my_cdpl
  4. Click OK

3.9.4. CA Server Access

Overview

Certificate validation can be done by accessing a separate Certifícation Server (CA) server. For example, the two sides of an IPsec tunnel exchange their certificates during the tunnel setup negotiation and either may then try to validate the received certificate by performing a CRL (certificate revocation list) lookup against the relevant external server.

A certificate can contain a URL (the CRL Distribution Point) which specifies the validating CA server and server access is performed using an HTTP GET request with an HTTP reply. (This URL is more correctly called an FQDN - Fully Qualified Domain Name.)

If a certificate does not contain a distribution point, this can be defined separately in cOS Core by specifying a CRL Distribution Point List object and associating this with a certificate in the configuration. This is explained further in Section 3.9.3, CRL Distribution Point Lists.

Note that CRL lookup is only done with IPsec tunnels when the tunnel is initially established or when a rekey operation takes place for the tunnel.

CA Server Types

CA servers are of two types:

  • A commercial CA server operated by one of the commercial certificate issuing companies. These are accessible over the Internet and their FQDNs are resolvable through the Internet DNS server system.

  • A private CA server operated by the same organization setting up the VPN tunnels. The IP address of a private server will not be known to the public DNS system unless it is explicitly registered. It also will not be known to an internal network unless it is registered on an internal DNS server.

Access Considerations

The following considerations should be taken into account for CA server access to succeed:

  • Either side of a VPN tunnel may issue a validation request to a CA server.

  • For a certificate validation request to be issued, the FQDN of the certificate's CA server must first be resolved into an IP address. The following scenarios are possible:

    1. The CA server is a private server behind the Clavister firewall and the tunnels are set up over the Internet but to clients that will not try to validate the certificate sent by cOS Core.

      In this case, the IP address of the private server needs only be registered on a private DNS server so the FQDN can be resolved. This private DNS server will also have to be configured in cOS Core so it can be found when cOS Core issues a validation request. This will also be the procedure if the tunnels are being set up entirely internally without using the Internet.

    2. The CA server is a private server with tunnels set up over the Internet and with clients that will try to validate the certificate received from cOS Core. In this case, the following must be done:

      1. A private DNS server must be configured so that cOS Core can locate the private CA server to validate the certificates coming from clients.
      2. The external IP address of the Clavister firewall needs to be registered in the public DNS system so that the FQDN reference to the private CA server in certificates sent to clients can be resolved. For example, cOS Core may send a certificate to a client with an FQDN which is ca.example.com and this will need to be resolvable by the client to a public external IP address of the firewall through the public DNS system.

      The same steps should be followed if the other side of the tunnel is another firewall instead of being many clients.

    3. The CA server is a commercial server on the Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that cOS Core will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives.

  • It must be also possible for an HTTP PUT request to pass from the validation request source (either the firewall or a client) to the CA server and an HTTP reply to be received. If the request is going to pass through the firewall, the appropriate entries in the cOS Core IP rule set need to be defined to allow this traffic through.

    IP rule set entries are not required if it cOS Core itself that is issuing the request to the CA server. Actions taken by cOS Core are trusted by default. This is a general rule that also applies to DNS resolution requests issued by cOS Core.

The diagram below illustrates the placement of the various components involved in CA server access.

Certificate Validation Components

Figure 3.15. Certificate Validation Components

CA Server Access by Clients

In a VPN tunnel with roaming clients connecting to the Clavister firewall, the VPN client software may need to access the CA server. Not all VPN client software will need this access. In the Microsoft clients prior to Vista, CA server requests are not sent at all. With Microsoft Vista validation became the default with the option to disable it. Other non-Microsoft clients differ in the way they work but the majority will attempt to validate the certificate.

Placement of Private CA Servers

The easiest solution for placement of a private CA server is to have it on the unprotected side of the firewall. However, this is not recommended from a security viewpoint. It is better to place it on the inside (or preferably in the DMZ if available) and to have cOS Core control access to it.

As explained previously, the address of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the Internet. If the certificate queries are coming only from the Clavister firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in cOS Core so that these requests can be resolved.

Turning Off validation

As explained in the troubleshooting section below, identifying problems with CA server access can be done by turning off the requirement to validate certificates. Attempts to access CA servers by cOS Core can be disabled with the Disable CRLs option for certificate objects. This means that checking against the CA server's revocation list will be turned off and access to the server will not be attempted.

3.9.5. Generating Certificates

cOS Core provides the ability to generate new Certificate objects with the associated key files within the firewall, without uploading files from an external source. The certificates generated can be any of the following types:

  • CA Root Certificates

    This is a CA root certificate with public and private key files that can be used to sign other certificates generated by cOS Core.

    The default certificate key size is 384 bits and the default validity time is 5475 days.

    Using cOS Core generated CA certificates, where the firewall itself acts as the CA, is discussed further in an article in the Clavister Knowledge Base at the following link:

    https://kb.clavister.com/343410633

  • Intermediate CA Signed Certificates

    This type of certificate must have its Issuer Certificate set to a CA signed certificate that may be also generated by cOS Core (so the private key is available). It can then be used to sign end-entity certificates.

    The default key size is 384 bits and the default validity time is 3650 days.

  • Self-signed Certificates

    These are standard self-signed certificates that do not require signing by a CA certificate.

    The default key size is 192 bits and the default validity time is 365 days.

  • End-Entity Certificates

    These are host certificates that can be used for multiple purposes and that are signed by a CA certificate or intermediate certificate.

    The default key size is 192 bits and the default validity time is 365 days.

Each of the above types uses a default signature algorithm of SHA-256 and an elliptic curve (EC) key type but these can be changed if required at the time of creation.

The IKE Authentication Option for End-entity and Self-signed Certificates

The end-entity and self-signed certificate types include an option called IKE Authentication which is disabled by default. This option should be enabled if a certificate is to be used as an end-entity certificate with IPsec tunnels. Enabling it will enable the relevant usage flags in the certificate that are required by IKE.

The CA Certificate Path Length

The Path Length Constraint can be set to determine the longest allowable certificate chain to an end-entity certificate. The values can be one of the following:

  • The default value of zero means that there can be no intermediate certificate between the CA root certificate and an end-user certificate.

  • A value of one means that there can be at most one intermediate certificate in the chain between the CA certificate and an end-user certificate.

  • Any value greater than one means that there can be at most that number of intermediate certificates in the chain between the CA certificate and an end-user certificate.

Notes About Certificate Generation

The following points should be noted about certificate generation in cOS Core:

  • The certificate generation function is available in the Web Interface only. It is not available in the CLI.

  • The certificate files generated can be downloaded from the firewall through the Web Interface by pressing the download button in the object properties page for a certificate. Alternatively, certificate files can be downloaded using SCP from the certificate folder in cOS Core. SCP downloading examples can be found in Section 2.1.8, Using SCP.

  • No CRL (revocation list) feature is available, although the CRL checks property for all generated certificates will always be set to a value of Enforced.

  • Once a certificate is generated, the generation parameters cannot be changed. Instead, a new certificate must be created.

  • Certificate generation can require significant processing resources, particularly with larger key sizes. The feature should therefore be used with caution when generation is done at the same time that live traffic is flowing.

    Note that the Clavister InControl product can be used to create self-signed certificates without requiring firewall resources.

  • firewall generated certificates, where the firewall acts as the CA server, can be used with IPsec roaming clients. Using them with the Windows VPN client is discussed in a Clavister Knowledge Base article at the following link:

    https://kb.clavister.com/324736172

Example 3.55. Creating a CA Certificate

This example will create a new Certificate object called my_ca_cert which will be a CA root certificate with its associated public key and private key files.

The allowable path length will be set to a value of 1, meaning that a maximum of one intermediate certificate can be used between the CA certificate and an end-entity certificate in a certificate chain.

Web Interface

  1. Go to: Objects > Key Ring > Add > Certificate
  2. For Name enter: my_ca_cert
  3. Under Generate Certificate press Configure
  4. In the Certificate Generator dialog that appears enter:
    • Certificate Type: CA
    • SubjectName: CN=myname, OU=mydept, O=mycompany
    • Path Length Constraint: 1
  5. Click Generate to close the dialog and generate the key data files
  6. Click OK

3.9.6. ACME

ACME Protocol for Certificate Management

The Automatic Certificate Management Environment (ACME) protocol in cOS Core makes it easier to issue, renew and maintain certificates helping to manage the public key infrastructure. ACME allows secure, automatic communication between the client and the certificate authority servers, keeping services trusted without needing manual handling. This section will show you how to set up an ACME account in cOS Core and explain how to automate certificate management.

Clavister ACME Overview

The firewall ACME client follows the ACME protocol as defined in RFC-8555 and currently supports interaction with the Let's Encrypt™ and BuyPass™ certificate authority (CA) servers as well as the option to manually specify a URL to an ACME compliant server.

In order to use the client and be able to order certificates from the CA server, an account is required. The account details are entered in cOS Core, which then creates the account in the CA server. The account is used to identify the client to the CA server, and to help maintain the certificates. When creating the account, the user can also create new orders for certificates or leave them for a later stage.

The account and any certificate order created will be requested from the CA server after successful activation of the configuration changes. A certificate order consists of a certificate request, intended to be used for a specific host (host.example.com ) or hosts (host.example.com, host_alias.example.com, etc). During the order request process, the CA server (or a server under the control of the CA) will issue one or more HTTP challenges to verify the existence of the domain. The ACME Client will need to intercept and respond to these challenges.

ACME Flow

Figure 3.16. ACME Flow

In order to intercept the challenge, the simplified (automatic handling) option is used by default. The alternative option is to set up a reverse proxy policy controlling the HTTP protocol on port 80. For more details see the challenge settings .

After all challenges have been accepted by the CA, the ACME client will download the certificate chain and add its elements as individual key ring objects (this will cause a reconfiguration event to trigger).

The leaf (also known as end-entity) certificate in the chain is identified by the name given to the certificate, and the intermediate nodes are identified by the given name followed by "_C#" where the "#" is the certificate order in the chain counting from the leaf (ex: WebServer_C1).

After the certificate ordering process is completed, a timer is started. When triggered, this timer will go through the existing list of certificates for the account and check if any need to be renewed. Providers of certificates using the ACME protocol provide certificates with short validity, normally around 3 to 6 months, hence regular renewals are required. The renewal process is automatically attempted 30 days prior to end of validity. This 30 days prior to end of validity is used to prevent any downtime scenario that could cause issues with an expiring certificate.

[Warning] Warning: Using manual restart in CLI

If the CLI command "ACME -restart" is executed, it would trigger an immediate request of all certificates regardless of the configured Renewal Time Range.

[Note] Note: Changing certificate properties will trigger certificate requests

If changes are made in the configuration to a certificate property in the ACME client, it will trigger an immediate request of all certificates similar to when "ACME -restart" is executed in the CLI regardless of the configured Renewal Time Range.

The simplified challenge option

When selecting the challenge method to use, the default selection is the simplified option. But what does it do?

The simplified option listens on all interfaces and networks and automatically handles the incoming ACME challenge response from the ACME server without the need to create any additional IP policy. It is similar to e.g. "IPsecBeforeRules" where IPsec related traffic is automatically picked up by cOS Core without the need for an IP Policy to allow it.

  • In order for cOS Core to automatically pick up the challenge response from the ACME server, the following must be true:

    • The protocol must be HTTP
    • The port must be 80
    • The challenge must contain a token that the ACME client has an ongoing renewal for.

    If the above is not true, the automatic rule will not trigger and the incoming HTTP packet will be forwarded to e.g. the IP ruleset for further processing. And if no match is found, the packet will be dropped.

  • Summary

    • Use simplified for an automatic handling of the ACME certificate download and renewal processes.

    • Use Reverse proxy if the client for the certificate is another server behind the firewall that you have an existing reverse proxy rule for or if you want more control over the source interface and network that the ACME challenge is expected to arrive on.

[Note] Note: Existing Reverse Proxy Policy

Any existing reverse proxy policy can be used, if it includes protocol HTTP and port 80.

[Warning] Warning: Sharing port 80

Since the ACME server always uses HTTP port 80 for it's challenges, cOS Core needs to setup a listening socket in order to intercept the challenge and respond to it. Therefore ACME will fail to respond if the socket is already in use by something else, such as:

  • The default Remote Management setting for HTTP port 80 (even if no HTTP management rule is configured).
  • A User Authentication rule that listens on HTTP port 80.

ACME Accounts

An ACME account is used to handle the automatic renewal and management of certificates via the ACME protocol. This account contains various settings required for the ACME protocol to work properly.

General Options

The following options can be configured for an ACME accounts entity:

Account Name

A symbolic name for the account name. Used as entity identifier but also used as a reference in log messages.

Server Settings

A selection if you want to use the standard Let's Encrypt™, BuyPass™ URL or if a manual/custom URL should be used to perform the certificate request.

Account Key Type

Keytype used to authenticate the client with the ACME server (e.g. ECC 256 or RSA 2048).

Email

ACME Account Contact Information.

Accept Terms Of Service

Automatically accepts the terms of service sent by the server. This option may be mandatory for some certificate providers.

Challenge Settings

A selection if you want to use the Simplified or Reverse Proxy. The Simplified option automatically handles the challenge from the ACME server without the need for a Reverse Proxy Policy. If Reverse Proxy is selected, a Reverse Proxy Policy needs to be created. For more information about Reverse Proxy configuration see Section 3.6.12, Reverse Proxy and in the configuration example further down.

Certificate Renewal Time Range

A selection of start and end hours when certificate renewal operations is allowed to be performed.

Certificate Management Options

The following options can be configured for an automated request certificate:

Domains to register

A list of domains that the certificate needs to authenticate.

Certificate Key Type

Key type for the certificate (e.g. Elliptic Curve).

Country, State, City, Organization, Department and Email

These are all additional parameters that can be inserted in the automatic certificate request query.

Example 3.56. Setting up certificate auto-renewal using ACME

In this example, an ACME account will be configured in order for cOS Core to perform automatic certificate renewals.

The example will be performed using a standard configuration with LetsEncrypt™ as the selected provider. Many options are not mandatory and the example will be kept at a base functionality level. If not specified, the default option or action is selected.

Command-Line Interface

A. ACME Account Creation:

Device:/> add ACMEAccount LetsEncrypt
			  Email=example@example.com
			  AcceptTerms=yes

A-1. Add ACME Certificate Management:

Device:/> cc ACMEAccount LetsEncrypt
Device:/> add ACMECertMgmt Cert_ACME
			   Domains=domain5.example.com

The above will create an ACME account which will order certificates related to the domain5.example.com domain automatically. The ordered certificates will also be renewed later, when required. Alternative domain names can be added if desired.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. ACME Account Creation:

  1. Go to: Network > Network Services > Miscellaneous > ACME Accounts > Add > ACME Account
  2. Now enter:
    • Name: LetsEncrypt
    • Email: example@example.com
  3. Enable the checkbox for Accept terms of service
  4. Click the Certificate Management tab
  5. Click Add > ACME Certificate Management
  6. Now enter:
    • Name: Cert_ACME
    • Domains to register: domain5.example.com
  7. Click OK

Example 3.57. Setting up certificate auto-renewal using ACME and Reverse Proxy

In this example, an ACME account and a Reverse Proxy IP Policy will be configured in order for cOS Core to perform automatic certificate renewals.

The example will be performed in two parts, the first part consists of ACME account creation and in the second part the Reverse Proxy IP policy is created. Many options are not mandatory and the example will be kept at a base functionality level. If not specified, the default option or action is selected.

Command-Line Interface

A. ACME Account Creation:

Device:/> add ACMEAccount LetsEncrypt
			  Email=example@example.com
			  AcceptTerms=yes
			  ChallengeType=ReverseProxy

A-1. Add ACME Certificate Management:

Device:/> cc ACMEAccount LetsEncrypt
Device:/> add ACMECertMgmt Cert_ACME
			   Domains=domain5.example.com

The above will create an ACME account which will order certificates related to the domain5.example.com domain automatically. The ordered certificates will also be renewed later, when required. Alternative domain names can be added if desired.

B. Reverse Proxy IP Policy Creation:

Device:/> add ReverseProxyPolicy Name=MyLetsEncrypt_Proxy
				 SourceInterface=wan
				 SourceNetwork=all-nets
				 DestinationInterface=core
				 DestinationNetwork=wan_ip
				 Service=http
				 EnableACME=Yes

The above will create a Reverse Proxy IP Policy that is needed to intercept the challenge from the ACME server. In order to intercept the challenge cOS Core needs to listen on port 80 for incoming http requests. If http is used by something else such as a web server or other, a mapping in the Reverse Proxy IP Policy needs to be added.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. ACME Account Creation:

  1. Go to: Network > Network Services > Miscellaneous > ACME Accounts > Add > ACME Account
  2. Now enter:
    • Name: LetsEncrypt
    • Email: example@example.com
  3. Enable the checkbox for Accept terms of service
  4. Under Challenge Settings, select Reverse Proxy
  5. Click the Certificate Management tab
  6. Click Add > ACME Certificate Management
  7. Now enter:
    • Name: Cert_ACME
    • Domains to register: domain5.example.com
  8. Click OK

B. Reverse Proxy IP Policy Creation:

  1. Go to: Policies > Main IP Rules > Add > Reverse Proxy Policy
  2. Now enter:
    • Name: MyLetsEncrypt_Proxy
    • Source Interface: wan
    • Source Network: all-nets
    • Destination Interface: core
    • Destination Network: wan_ip
    • Service: http
  3. Enable the checkbox for Intercept ACME Challenge
  4. Click OK

The above will create a Reverse Proxy IP Policy that is needed to intercept the challenge from the ACME server. In order to intercept the challenge cOS Core needs to listen on port 80 for incoming http requests. If http is used by something else such as a web server or other, a mapping in the Reverse Proxy IP Policy needs to be added.