Upload Custom CA Certificate, Key File, and CA Chain

Last updated
Save as PDF

For supported software information, click here.

A certificate authority (CA) is a trusted third-party organization that issues electronic documents, called digital certificates. A CA certificate is a small data file issued by a CA that verifies a digital entity’s identity on the internet and indicates that the website is secured using an encrypted connection. CA certificates are an essential part of secure communication.

A CA chain is an ordered list of the CA certificates for all trustworthy intermediate and end devices in a communications chain.

A private key is required to access secured traffic using a certificate. To secure the traffic on a Versa Operating System^TM (VOS^TM) device, you can use either a self-signed CA certificate or a trusted CA certificate.

Versa Networks provides a set of intermediate CA certificates that enable secure data transfer between web servers and the clients using secure socket layer (SSL) encryption.

If you have Versa Sovereign SASE, instead of using the default intermediate CA certificates provided by Versa, you can upload a custom CA certificate, key file, and CA chain to Concerto to generate your own default certificate signed by your custom CA. Concerto automatically uses this custom CA to generate default certificates for all the tenants in the system. Additionally, you can apply the custom CA to existing tenants to regenerate their default certificates.

After you apply a custom CA certificate to a new tenant or existing tenants, you must publish the changes to the gateway. For more information, see Publish SASE Gateways.

This article describes how to upload a custom CA certificate, private key file, and CA chain to Concerto. Note that only a service provider administrator can upload custom CA certificates.

Upload a Custom CA Certificate

To upload a custom CA certificate, private key file, and CA chain:

Go to Settings > SSE.
In the SSE Infrastructure Settings page, select the Certificate tab. By default, the Custom Certificates and Tenants options are disabled.

In the Certificates pane, click the Custom Certificates toggle to set it to Enabled, and then enter information for the following fields.

Field	Description
Custom Certificates	Click the toggle to enable or disable uploading custom CA certificate.
Custom Intermediate CA Certificate & Key File	Click the Upload File icon to upload the custom CA certificate and key file. The file must be a ZIP file containing two files: a key file and a certificate file. The key file should have a .key extension, while the CA certificate file can be in .crt, .cer, or .pem format. The file name must begin with a letter and can only contain letters, numbers, and the following special characters: underscore ( _ ) hyphen ( - ) period ( . )
Custom CA Chain	Click the Upload File icon to upload a custom CA chain file. The CA chain file can be in .crt, .cer, or .pem format.

Field

Description

Custom Certificates

Click the toggle to enable or disable uploading custom CA certificate.

Custom Intermediate CA Certificate & Key File

Click the Upload File icon to upload the custom CA certificate and key file. The file must be a ZIP file containing two files: a key file and a certificate file. The key file should have a .key extension, while the CA certificate file can be in .crt, .cer, or .pem format. The file name must begin with a letter and can only contain letters, numbers, and the following special characters:

underscore ( _ )
hyphen ( - )
period ( . )

Custom CA Chain

Click the Upload File icon to upload a custom CA chain file. The CA chain file can be in .crt, .cer, or .pem format.

Click Save.
In the Tenants pane, click the toggle to Enabled to show the existing tenants. This displays the list of existing tenants.
Select the tenants to which you want to apply the custom CA certificate. Note that after a custom CA certificate is applied to an existing tenant, the tenant name is grayed out.
Click Save.
Publish the changes to the gateway. See Publish SASE Gateways.
To view the newly generated CA certificates:
1. Go to the Tenants home screen and select the tenant.
2. Go to Configure > Security Service Edge > Settings > Certificates.

Disable Custom CA Certificates

If you are using a custom CA certificate and want to revert to the Versa default intermediate CA certificate, you must disable the Custom Certificates option. Tenants that you create after you disable custom certificates will use the Versa default intermediate CA certificate. Existing tenants retain the certificate that was in use.

If you need to replace the custom CA certificate with a new certificate, the existing tenants that use the old custom CA certificate continue to use the same certificate. To apply a new custom CA certificate to existing tenants, you must select the tenants to use the new custom CA certificate, then save and publish the configuration changes to the gateway. To upload a custom certificate, see Upload a Custom CA Certificate, above.

To disable a custom CA certificate:

Go to Settings > SSE.
In the SSE Infrastructure Settings page, select the Certificate tab.
In the Certificates pane, click the Custom Certificates toggle to set it to Disabled.
Click Save.

Supported Software Information

Releases 12.2.2 and later support all content described in this article.

Additional Information

Configure SD-WAN Certificates
Configure SASE Certificates