Skip to main content
Versa Networks

Configure Certificate-Based Device Authentication for Secure Access

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

Certificate-based SASE client device authentication uses digital certificates to authenticate users and devices or systems attempting to connect to the gateway. Certificate-based device authentication can be used in addition to other user authentication methods such as SAML or LDAP. You can install a client certificate for a device and use it to authenticate any user of the device. 

Certificate-based device authentication provides the following benefits:

  • Password dependence—Reduces the requirement for traditional passwords or tokens such as SSO.
  • Enhanced security—Utilizes public key infrastructure (PKI) for secure and scalable authentication.
  • User experience—Offers a seamless experience because users do not have to repeat password logins.
  • Mutual authentication—Ensures that the client and server authenticate each other to strengthen overall security.
  • Reduced risks—Minimizes password theft, phishing, and brute force attacks.

This article describes the configuration to authenticate approved endpoint devices using device certificates in authentication profiles.

Configure Certificate-Based Device Authentication

Certificate-based device authentication focuses on devices, which is ideal for environments where device trust is critical. It ensures that user connections are from approved or trusted corporate devices and prevents connections from unauthorized devices. Compared to certificate-based user authentication, certificate-based device authentication does not verify usernames and users can connect if device certificate authentication succeeds. 

Integrating mobile device management (MDM) or Active Directory (AD) enables automatic certificate provisioning and automatic installation of connection settings. MDM or AD apply certificate profiles to ensure that certificate private keys are non-exportable by default, which is useful for BYOD users. MDM or AD can also verify leakage of certificate validity. For more information, see Configure SASE Unified Endpoint Management for Microsoft Intune, Configure SASE Unified Endpoint Management for Ivanti Neurons, and Configure User and Device Authentication.

To activate certificate-based device authentication, you do the following:

  • Generate the root certificate authority (CA) key and certificate and the device certificate
  • Upload the root CA to gateways from Concerto and verify that they are reflected in the associated devices. 
  • Configure a device certificate authentication profile by associating the profile with the root CA.

Generate the CA Key, CA Certificate, and Device Certificate

This section describes how to generate a root CA key, CA certificate, and device certificate using OpenSSL on any Linux system. You can create a certificate, get it signed by a CA, and then use it on a Concerto node.

You can skip the following steps if you have already generated the CA key, CA certificate, and device certificates, or if you use other methods to generate certificates. 

To generate a root CA key and certificate:

  1. Generate the root CA key: 
    openssl genrsa -aes256 -out root-ca.key 4096
  2. Generate the CA certificate using the root CA key: 
    openssl req -new -x509 -sha256 -days 3650 -key root-ca.key -out root-ca-cert.pem
  3. To inspect and display the contents of a certificate file (in PEM format): 
    openssl x509 -noout -text -in root-ca-name.pem

To generate a device client certificate:

  1. Generate the private key for device certificate: 
    openssl genrsa -aes256 -out user-cert-name.key 4096
  2. Generate a certificate signing request (CSR) for the certificate: 
    openssl req -out  user-csr-name.csr -newkey rsa:2048 -nodes -keyout  user-cert-name.key -config  user-cert-name.conf
  3. Sign the CSR with the root CA to issue a device certificate: 
    sudo openssl x509 -req -in user-cert-name.csr -CA root-ca-name.pem -CAkey rootca-key.key -out user-cert-name.crt -CAcreateserial -days 2865 -sha256 -extfile user-cert-name.conf -extensions 'usr_cert'

  4. Convert the .crt file to a .pfx file (pasword-protected file) and bundle the device private key.

    openssl pkcs12 -inkey user-cert-name.key -in user-cert-name.crt -export -out user-cert-name.pfx -passin pass:lab123 -passout pass:lab123

The following is an sample configuration file for device certificate. You can use any common name (CN), unlike in a user certificate.

[admin@SASE-GW2-Concerto: device-cert2] $ cat user1-cert.conf
#authorityKeyIdentifier = keyid,issuer:always
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = usr_cert
prompt = no
[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = TN
localityName = Chennai
organizationName = Versa Networks
commonName = user1-cert
[ v3_req ]
extendedKeyUsage = clientAuth, emailProtection
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

Upload Root CA Certificate

To upload the root CA certificate for a tenant:

  1. Go to Configure > Settings > Certificates.
  2. The Certificates screen displays all currently available certificates. For more information, see Configure SASE Certificates.

    Settings-Certificates.png
  3. Click + Add to add certificates. The Add CA Certificate popup window displays.

    add-CA-certificate.png
  4. Select CA Chain, and then enter a name for the certificate in the CA-Chain Name field.
  5. Click Upload File to upload the CA certificate file.
  6. Click Add. 

Configure Device Authentication Profiles

When you configure a device certificate authentication profile, you associate the CA chain you uploaded in Upload Root CA Certificate, above. 

To configure a device certificate authentication profile:

  1. Go to Configure > Security Service Edge > User and Device Authentication > Profiles. The User and Device Authentication Profiles screen displays.

    user-and-device-auth-profile-main.png
  2. To create a new profile, click + Add.

    add-user-and-device-auth-profile.png
  3. Select Device Certificate Based, and then click Get Started. The Add Device Certificate Authentication Profile screen displays.

    add-device-certificate-auth-profile.png
  4. Select step 1, Settings.
  5. In the Client CA Chain field, select the root CA certificate you uploaded in Upload Root CA Certificate.
  6. In the Username Identifying Field in Certificate field, select Subject common-name.
  7. Click Next to go to step 2, Authentication Order.

    add-device-certificate-auth-profile-auth-order-tab.png
  8. Click the Device Authentication Enabled toggle to enable device authentication.
  9. For "Select which profile would you like to authentication first?", select Device Authentication to use this device authentication profile first for authentication. For more information, see Configure User and Device Authentication Profiles.
  10. Click Next to go to step 3, Review & Submit.
  11. Click Save to create the authentication profile.

Install the Device Certificate on the Client Device 

To install the .pfx file that you generated in Generate Root CA and Device Certificates on the device with SASE client:

  1. In the Run command, type MMC to open the Microsoft Management Console.
  2. In the Console screen, select File > Add/Remove Snap In.

    add-snap-in-certificates-1.png
  3. In the Add or Remove Snap-ins window, click Certificates and then Add.

    certificates-snapin-computer-account-2-3.png
  4. In the Certificates snap-in window, select Computer account, and then click Next.
  5. In the Select Computer window, select Local Computer, and then click Finish. The following screen displays with Certificates (Local Computer) under Console Root.

    add-snapin-cert-added-4.png
  6. To import and install the .pfx certificate file:
    1. Go to Console Root\Certificates (Local Computer)\Personal\Certificates.
    2. Right-click on the right side of the window and select All Tasks > Import. For example:

      install-cert-on-client-5.png
  7. To ensure that a user has access to private keys assigned at the device level, click on the device certificate and select More Actions > All Tasks > Manage Private Keys.

    install-cert-on-client-7.png
    The following window displays:

    install-cert-on-client-8.png
  8. Assign permissions for the user, as needed. 
  9. Click OK.

Authenticate Users on SASE Client

When a user connects to the SASE client gateway, if certificate-based device authentication is the first method in the authentication order, the following window displays:

sase-client-select-certificate.png

If the certificate authentication is successful, users proceed to the corresponding SAML or SSO authentication.

client-connection-status.pngVerification on the Gateways

Supported Software Information

Releases 12.1.1 and later support all content described in this article.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Page type
    Topic
  2. Tags
    This page has no tags.