Configure a Common Certificate Authority

For supported software information, click here.

On Versa Operating System^TM (VOS^TM) devices, you can create a global certificate authority (CA) that is common and not associated with any organization. You can use this CA when you create provider or customer organizations and Controller nodes that use cryptographic public key infrastructure (PKI) for CPE authentication. After you configure a common CA, you can configure the WAN and LAN interfaces to connect to the CA server in template workflows.

When you deploy a Controller node in a Controller workflow, the CA that you specify in the provider organization, and for any of its subordinate organizations, is pushed to the Controller node. For organizations and subordinate organizations in a Controller workflow, you must also specify a CSR, which is also pushed to the Controller node.

To configure a common CA:

1. Select the Administration tab in the top menu bar.
2. Select Connectors > Certificate Authority in the left menu bar.
   
   
3. Click the + Add icon. The Certificate Authority popup window displays.
   
   
4. Select the General tab, and enter information for the following fields.
    

   Field	Description
   Name (Required)	Enter a name for the certificate server.
   URL (Required)	Enter the URL of the CA server enrollment service. This is the URL to which CA certificate and enrollment requests are sent.
   Retry Interval	Enter the interval, in seconds, at which an organization or a Controller node retries to retrieve the certificate.
   Server Type	Select the type of certificate authority (CA) server: ACME—Automatic Certificate Management Environment CMP—Select if the CA server is using the Certificate Management Protocol for enrollment. SCEP—Select if the CA server is using the Simple Certificate Enrollment Protocol.

5. Select the OCSP tab, and then enter information for the following fields.
   
   
    

   Field	Description
   OCSP Enabled	Click to enable Online Certificate Status Protocol (OCSP) usage.
   Responder URL	Enter the URL of the OCSP responder. The OCSP responder reports the status of a certificate.
   Hash Algorithm	Select the hash algorithm to use when preparing the OCSP request.
   Response Cache Period	Enter how long, in hours, to cache OCSP responses. Range: 0 through 168 hours Default: 0 (no cache is created)
   Monitor Interval	Enter the time interval at which to verify the validity of the certificate status. Range: 0 through 1440 minutes Default: 0 (monitoring is disabled)
   Sign Request	Click to have the OCSP responder verify the signature before responding to certificate requests.
   Verify Signature	Click to have the VOS device verify the signature of OCSP responder.
   Action on Response Unknown	Select the action to take on the IPsec tunnel when an unknown response is received from the OCSP responder: Tunnel Down—Bring the IPsec tunnel down. Tunnel Up—Bring the IPsec tunnel up.

6. Click OK.