Skip to main content
Versa Networks

Configure Certificate-Based Authentication for SASE Clients

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

Certificate-based authentication is a secure method to validate the identity of users and devices. Versa SASE supports user-based and device-based certificate authentication. When you enable certificate-based authentication, the gateway initiates a request to the SASE client for users to provide their certificates during client portal registration and gateway connection. This article describes how to configure certificate-based user authentication and device authentication for the SASE client.

Before You Begin

Before you configure certificate-based authentication for the SASE client:

  • Generate the root certificate authority (CA) key and CA certificate.
  • Create the client certificate file.
  • Generate the key and CSR for the client.
  • Generate the client certificate signed by a CA.
  • Convert the .crt file to a Personal Information Exchange (.pfx) file for the client certificate.
  • Import the client certificate to the client device.
  • Upload the root CA chain certificate to the device (this CA certificate validates the SASE client certificate).

Generate the CA Key, CA Certificate, and Client Certificate

This section describes how to generate a CA key, CA certificate, and SASE client certificate using OpenSSL on any Linux system. You can create a certificate, get it signed by a CA, and then use it on a Director node. For more information, see Create and Manage Certificates.

You can skip the following steps if you have already generated CA and SASE client certificates or if you use other methods to generate certificates.

To generate a CA key, CA certificate, and SASE client certificate:

  1. Generate the root CA key: 
    openssl genrsa -aes256 -out root-ca.key 4096
  2. Generate the CA certificate using the root CA key: 
    openssl req -new -x509 -sha256 -days 3650 -key root-ca.key -out root-ca-cert.pem
  3. Create the cert.conf file with the following values. In the sample configuration here, commonName is alice-cert, which is same as the user name: 
    cat cert.conf

#authorityKeyIdentifier = keyid,issuer:always
distinguished_name = req_distinguished_name
req_extensions      = v3_req
x509_extensions = usr_cert

prompt = no

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = VA
localityName = Reston
organizationName = Versa Networks
commonName = alice-cert

[ v3_req ]
extendedKeyUsage = clientAuth, emailProtection
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
[ usr_cert ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
  4. Generate a certificate signing request (CSR) for the client certificate: 
    openssl req -out Client.csr -newkey rsa:2048 -nodes -keyout Client-Cert.key -config cert.conf -extensions 'v3_req'
  5. Generate the client certificate signed by the CA: 
    openssl x509 -req -in Client.csr -CA root-ca-cert.pem -CAkey root-ca.key -out Client-Cert.crt -CAcreateserial -days 730 -sha256 -extfile cert.conf -extensions 'usr_cert'
  6. Convert the .crt file to a .pfx file. Here, we use the name AliceClient-Cert.pfx: 
    openssl pkcs12 -inkey Client-Cert.key -in Client-Cert.crt -export -out AliceClient-Cert.pfx -passin pass:password123 -passout pass:password123

Import the Client Certificate to a Windows OS Client Device

To import the client certificate that you created in Generate the CA Key, CA Certificate, and Client Certificate, above, to a client device that is running Windows OS:

  1. Navigate to where you saved the client certificate, and then double-click it. The Certificate Import Wizard displays.

    certificate-import-wizard-welcome.png
  2. For certificate-based user authentication, select Current User, or for device authentication, select Local Machine. Here, we select Current User.
  3. Click Next.
  4. In the File to Import window, click the Browse button, and then select the client certificate file.

    certificate-import-wizard-file-to-imort.png
  5. Click Next. If the file is password-protected, the Private Key Protection screen displays.

    certificate-import-wizard-password.png
  6. In the password field, enter the name of the password file, and then click Next. The Certificate Store window displays.

    certificate-store.png
  7. Select Place all Certificates in the Following Store option, and then click Browse. The Select Certificate Store popup window displays.

    certificate-import-wizard-select-certificate-store.png
  8. Select Personal, and then click OK.
  9. Click Next. The Completing the Certificate Import Wizard window displays.

    import-wizard-finish.png

  10. Click Finish to import the certificate. The certificate displays under Personal > Certificates.

    client-cert-imported.png

Import the Client Certificate to an iOS Client Device

Before you import the client certificate that you created in Generate the CA Key, CA Certificate, and Client Certificate, above, on an iOS device, you must download it from your email or from the appropriate server.

To import the client certificate to a client device that is running iOS:

  1. To view the downloaded client certificate on your device, go to Settings > Profile Downloaded.

    1-settings-profile-downloaded.png
  2. To install the certificate on your device, click Profile Downloaded. The Install Profile window displays the client certificate.

    2-install-option.png
  3. Click Install. The following message displays.

    3-install-warning-message.png
  4. Click Install. The installed certificate displays.

    4-installed-certificate.png
  5. Click Done.

After you import the client certificate, you must trust the certificate so that the registration does not fail. To trust the certificate:

  1. Click General > About > Certificate Trust Settings. The Certificate Trust Settings window displays.

    5-trust-certificate.png
  2. In the Enable Full Trust for Root Certificates field, click the toggle for the Versa SASE client certificate, and then click Continue.

To view the client certificate from the SASE client, select Troubleshoot > CA Certificates.

6-client-ca-certificate-display.png

For information about importing the client certificate on a MacOS device, see Import the CA Certificate.

Upload the CA Certificate to the Device

To upload the root CA certificate to the device:

  1. In the Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Devices > Devices in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a Controller or Versa Operating SystemTM (VOSTM) device in the dashboard. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Objects & Connectors > Objects > Custom Objects > CA Chains in the left menu bar.

    ca-chains-director-tab.png
  4. Select the Director tab, and then click Upload File to upload the .crt file. The Upload CA Chain to Director popup window displays.

    upload-ca-chain-to-director.png
  5. In the Chain Name field, enter a name for the chain.
  6. In the Chain Filename field, enter the name of the chain file to upload, or click Browse to select the file to upload to the Director node.
  7. Click OK to upload the file.
  8. Select the Appliance tab.

    ca-chains-appliance-tab.png
  9. Click Upload File. The Upload CA Chain File to Appliance popup window displays.

    upload-ca-chain-file-to-appliance.png
  10. In the name field, select the name of the CA chain file (here, rootca-cert.pem) to upload to the VOS device.
  11. Click OK to upload the file to the VOS device. The CA chain file displays on the Appliance tab.

    ca-chains-rootca-cert-example.png

Configure Certificate-Based User Authentication

To configure certificate-based user authentication, you do the following:

  • Configure a certificate authentication profile.
  • Configure an authentication method for the certificate authentication profile.
  • Associate the authentication method with the authentication profile.
  • Associate the authentication profile with a secure access portal and secure access gateway.
  • Modify the organization limit to add the certificate service host name under domain names.

Configure a Certificate Authentication Profile

You configure a certificate authentication profile and use it in an authentication profile.

To configure a certificate authentication profile:

  1. In Director view:
    a. Select the Administration tab in the top menu bar.
    b. Select Appliances in the left menu bar.
    c. Select a device name in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Object and Connectors > Connectors > Users/Groups > Certificate Authentication Profile in the left menu bar.

    certificate-auth-profile-navigation.png
  4. Click Add. In the Add/Edit Certificate Authentication Profile popup window, enter information for the following fields.

    edit-certificate-auth-profile.png
     
    Field Description
    Name (Required) Enter a name for the certificate authentication profile.
    Description Enter a description for the certificate authentication profile.
    Server Certificate (Required) Select the server certificate for certificate authentication.
    Server Hostname (Required) Enter a hostname to start certificate authentication service. Ensure that this fully qualified domain name (FQDN) is different from the FQDN of the SASE gateway.
    Server Port (Required)

    Enter the port number to start certificate authentication service. You can enter 443 or any other private port number.
    Client CA Chain (Required) Select the root CA chain that you uploaded in Upload the CA Certificate to the Device to authenticate the client certificate.
    Routing Instances (Required)

    Click theadd-icon-plus.PNGAdd icon and select the routing instance to reach the certificate authentication server.
    Server Addresses Enter the WAN-VR IP address to start certificate authentication service.
    Username Field

    Select the field that the VOS software uses to validate a name match in the client certificate:

    • Alternative-name Email
    • Subject Alternative-name Principal Name
    • Subject Common-nameSubject
  5. For more information about the other fields in the Add/Edit Certificate Authentication Profile popup window, see Configure a Certificate Authentication Profile in Configure User and Group Policy.
  6. Click OK.

Configure an Authentication Method for Certificate Authentication Profile

To configure an authentication method for the certificate authentication profile you configured in Configure a Certificate Authentication Profile, above:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Object and Connectors > Connectors > Users/Groups > Authentication Methods in the left menu bar.

    authentication-method-navigation.png
  4. Click Add. The Add Authentication Methods popup window displays.

    add-authentication-methods.png
  5. Enter a name for the authentication method.
  6. Under Authentication Method, select Certificate Authentication Profile in the Method field.
  7. In the Certificate Authentication Profile field, select the profile (here, Client-Cert-Auth-Profile) that you created in Configure a Certificate Authentication Profile, above.
  8. Click OK.

Associate the Authentication Method with the Authentication Profile

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Objects & Connectors > Connectors > Users/Groups > Authentication Profiles in the left menu bar.

    authentication-profiles-menu.png
  4. Click Add. The Add Authentication Profiles popup window displays.

    add-authentication-profile.png
  5. Enter a name for the authentication profile.
  6. In the Default Authentication Method field, click + and then select the authentication method (here, Client-Cert-Auth-Method) that you added in Associate the Certification Authentication Profile with the Authentication Method, above.
  7. For information about configuring other parameters, see Configure an Authentication Profile in Configure User and Group Policy.
  8. Click OK.

Associate the Authentication Profile with the Secure Access Portal

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access > Portal > General in the left menu bar.

    secure-access-portal-general-navigation.png
  4. Click the edit-icon-black.png Edit icon. The Add Services popup window displays.

    vsa-portal-add-services-auth-profile.png
  5. In the Authentication field, select the certificate authentication profile (here, Client-Cert-Auth-Profile) that you added in Configure a Certificate Authentication Profile, above.
  6. For information about configuring other parameters, see Configure a Secure Access Gateway in Configure the Versa Secure Access Service.
  7. Click OK.

Associate the Authentication Profile with the Secure Access Gateway

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access > Gateway > General in the left menu bar.

    secure-access-gateway-general-navigation.png
  4. Click the edit-icon-black.png Edit icon. The Add Services popup window displays.

    vsa-gateway-add-services-auth-profile.png
  5. In the Authentication field, select the certificate authentication profile (here, Client-Cert-Auth-Profile) that you added in Configure a Certificate Authentication Profile above.
  6. For information about configuring other parameters, see Configure a Secure Access Portal in Configure the Versa Secure Access Service.
  7. Click OK.

Modify the Organization Limit to Associate the Server Hostname with the Domain Name

To modify organization (tenant) limits:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
    4. Select an organization.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > Organization > Limits in the left menu bar. The main pane displays the organizations associated with the Controller node.

    organization-limits-navigation.png
  4. Select the General tab.

    edit-organization-limit-general-tab.png
  5. In the Domain Names field, click + and then select the host (here, ny-gw1.versa.local) that you added in the Server Hostname field in Configure a Certificate Authentication Profile, above.
  6. For information about configuring other parameters, see Configure Organization Limits.
  7. Click OK.

Configure Certificate-Based Device Authentication

To configure certificate-based device authentication, you do the following:

Associate Certificate Authentication Profile with Secure Access Portal

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access > Portal > General in the left menu bar.

    secure-access-portal-general-navigation.png
  4. Click the edit-icon-black.png Edit icon. The Add Services popup window displays.

    vsa-portal-add-services-cert-auth-profile.png
  5. In the Device Authentication Profile field, select the certificate authentication profile (here, Client-Cert-Auth-Profile) that you added in Configure a Certificate Authentication Profile, above.
  6. In the Authentication Order field, select Device Authentication, and then click the add-icon-blue.png Add icon. The device option displays. Versa SASE supports multifactor authentication, so to authenticate users, also select User Authentication.
  7. For information about configuring other parameters, see Configure a Secure Access Gateway in Configure the Versa Secure Access Service.
  8. Click OK.

Associate the Certificate Authentication Profile with the Secure Access Gateway

  1. In Director view:
    1. Select the Configuration tab in the top menu bar.
    2. Select Templates > Device Templates in the horizontal menu bar.
    3. Select an organization in the left menu bar.
    4. Select a template in the main pane. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Secure Access > Gateway > General in the left menu bar.

    secure-access-gateway-general-navigation.png
  4. Click the edit-icon-black.png Edit icon. The Add Services popup window displays.

    vsa-gateway-add-services-cert-auth-profile.png
  5. In the Device Authentication Profile field, select the certificate authentication profile (here, Client-Cert-Auth-Profile) that you added in Configure a Certificate Authentication Profile, above.
  6. In the Authentication Order field, select Device Authentication, and then click the add-icon-blue.png Add icon. The device option displays. Versa SASE supports multifactor authentication, so to authenticate users, also select User Authentication.
  7. For information about configuring other parameters, see Configure a Secure Access Portal in Configure the Versa Secure Access Service.
  8. Click OK.

Verify SASE Client Registration and Gateway Connectivity

To verify certificate-based authentication after you configure certificate-based device and user authentication for the SASE client:

  1. Download the Versa SASE client. For more information, see Install and Configure Versa SASE Clients.
  2. Click Register in the Versa SASE Client home screen. The Register screen displays.

    sase-client-register.png
  3. Enter the gateway FQDN, tenant name, and username.
  4. If there are multiple certificates on the device, the SASE Security window displays all of them. Select the appropriate certificate (here, alice-cert), and then click OK. If there is only one certificate, the SASE client automatically selects that certificate, and the following window does not display.

    sase-security.png
  5. If authentication is successful, the following window displays.

    client-authentication-successful.png
  6. After you register the SASE client, select the gateway or group FQDN to log in. If certificate-based authentication is configured on the VOS SASE gateway, the Select a Certificate for Authentication popup window displays.

    select-certificate-for-authentication.png
  7. Select the certificate (here, alice-cert) that you want to use for the device or user authentication, and then click OK. The connection status window displays on successful connection.

    client-connection-status.png

Supported Software Information

Releases 22.1.1 and later support all content described in this article.