The Pulse Connect Secure Access gateway has a self signed certificate, which is created during the serial console setup of the Pulse Connect Secure Access gateway. This self signed certificate is capable of encrypting the traffic to and from the PCS; however, as this is self signed, it may not be appropriate to use this certificate in the production use of the PCS.
The reason is that another device could create a self signed certificate under the same name, pretending to be the Pulse Connect Secure Access gateway. To correct this issue, you can use a Certificate Authority (CA). You can use a company certificate authority, such as Microsoft Certificate Services and OpenSSL, or a commercial certificate authority, such as VeriSign and Thawte. There are several more options than these options; but they are the best known ones.
The decision on whether to use the PCS's Self Signed, Company Signed, or commercially signed certificate usually depends heavily on the users. If the users are fairly technical, then using the self signed certificate from the PCS should not cause many issues.
If the users are not necessarily technical, but have the company CA in their trusted CA list, then the company signed is an economical and effective method to use. If you are in a situation where users' computers are not going to have the company CA in their trusted CA list, such as a kiosk, then a commercial certificate is recommended.
There is a special consideration to take into account. Whether you are using a commercial or company CA, if the CA generating the certificate is an intermediate CA (A CA which reports to a CA above it), you will either need to download the certificate chain (recommended) or download the CA certificates for both the Intermediate and Root CAs.
The certificate can be created in two ways. By CSR (more secure; but cannot be exported outside of PCSs) or by importing a certificate that contains both a public and private key (less secure, as the CA integrity and storage of the private key on media, other than the Pulse Connect Secure Access gateway, has to be taken into consideration; However this method is much more flexible. For example, the certificate can be used on more than one device).
- Creating a CSR
To create a CSR
- At the bottom of this page, click the New CSR button click and provide the requested information.
- Go to Configuration > Certificates > Device Certificates:
- At the bottom of this page, click New CSR:
- Type the details of the certificate that you wish to generate from the IVE and then click Create CSR:
Note: Be sure about the key length of the certificate when you generate it, as most of the Authorized CAs do not support the 1024 bit certificate. In that case, select the 2048 bit option displayed in the image below:
- The PCS will now generate a request in a base 64 format. The private key is stored inside the PCS. The certificate request contains a 1 way hash of the key, so the private key is never exposed to the outside world. We will find the generated CSR under Certificate Signing Requests and will be present as a Pending CSR.
Generating a certificate without a CSR
- If you use a commercial CA, ensure to place the returned certificate ina text file and then rename the file with a .cer extension. The .cer extension is intended for the base 64 format and this is the most common format that CAs will return the certificates in. Should a CA return it in a format apart from Base 64, the PCS can handle the PKS 7 (.p7b) and DER (.der) formats. PCS support for PKS 10/12 is limited.
You now have to upload the certificate by using the field that is located at the bottom of the same page:
Copy this into a text file and submit it to your company or chosen commercial CA. The CA will provide you with the public key.
Note: It is recommended to save a copy of the system.cfg file, as soon as you upload a certificate in this manner. To download system.cfg, go to Import/Export -> Import/Export Configuration and click Save Config As to save it.
- Certificate File includes the private keys.
- Certificate and the private key are separate files.
The other way to import certificates is to generate a certificate with the Public and Private Key from a CA. Commercial CAs usually have an option on their web sites to do this. This can also be performed by using Company CAs; Microsoft Certificate Services and OpenSSL are the most common.Uploading the certificate
If you have used a commercial CA, make sure to place the returned certificate in a text file and then rename the file with the .cer
extension. The .cer
extension is intended for the base 64
format and is the most common format that CAs will return certificates in. Should a CA return a format apart from Base 64, the PCS is able to handle PKS 7
(.p7b) and DER
(.der) formats. The PCS support for PKS 10/12
On the PCS go to Configuration > Certificates > Device Certificates
and click Import Certificate & Key
If the Certificate File includes the private keys, perform the following procedure:
- Most CAs provide the private and public key in the same file, unless requested. Select the appropriate import option and provide the pass-code; if you have created the certificate with one.
- Browse and select the signed certificate with the.pfx file extension.
- Type the password for the .pfx file.
- Click Import as to specify where the certificate will be imported.
If the Certificate and the private key are separate files, perform the following procedure:
- Download the private key from the Web/CA server, which generated the CSR (the private key will be in the .pem format and is password protected) and then import the private key with the signed certificate (provided by certificate authority; the extension will be in the .cer format)) to the PCS.
- From Certificate File, browse and select your signed certificate.
- From Private Key File, browse and select your private key.
Importing the previous device certificate from the system configuration backup:
- In Password Key, type the password for the private key.
Importing it from Maintenance > Import/Export > Configuration (System Configuration)
Importing it from System > Configuration > Certificate > Device Certificate > Import Certificate and key
The production certificate should now be installed.Note: Make sure to bind the imported certificate to the relevant port, according to the configuration (Internal/External port), to avoid the certificate errors on the browser, when you type the Sign-in URL of the website.
To map the certificate to the ports, click the imported certificate and then the ports can be mapped. The following image illustrates the procedure: