How to create a wildcard certificate to be used on the appliance
03/26/2020 
20 
14089
DESCRIPTION:
How to create a wildcard certificate to be used on the appliance
RESOLUTION:
Overview
This article will explain how to create and import a wildcard certificate into the AMC to use as the Appliance certificate. These instructions will work with 8.6.x appliances only.
NOTE: The instructions below are unsupported and are here only for your reference. Follow these instructions at your own risk. The instructions contained within this article require command line access to the Aventail appliance. If you are not comfortable with accessing the appliance on the command line, stop here. KB article #2500 has more information on how to get to the command line of the appliance.
Problem statement
The issue is that the Aventail appliance cannot have a self-signed certificate that is signed by a wildcard issuer – i.e. *.aventail.com.
To get around this we can use OpenSSL to create a certification authority on the appliance and then use that to generate a certificate.
Procedure
Stage 1 - Create CA on appliance
- Create a directory on the appliance to store the CA. For example:
cd ~
mkdir aventailca
cd aventailca - Create 2 files in the directory. Fill them with the contents listed below.
- File number 1 - makefile
#
# Automates the setup of a custom Certificate Authority and provides
# routines for signing and revocation of certificates. To use, first
# customize the commands in this file and the settings in openssl.cnf,
# then run:
#
# make init
#
# Then, copy in certificate signing requests, and ensure their suffix is
# .csr before signing them with the following command:
#
# make sign
#
# To revoke a key, name the certificate file with the cert option
# as shown below:
#
# make revoke cert=foo.cert
#
# This will revoke the certificate and call gencrl; the revocation list
# will then need to be copied somehow to the various systems that use
# your CA cert.
requests = *.csr
sign: ${requests}
# remove -batch option if want chance to not certify a particular request
${requests}: FORCE
@openssl ca -batch -config openssl.cnf -in $@ -out ${@:.csr=.cert}
@[ -f ${@:.csr=.cert} ] && rm $@
revoke:
@test $${cert:?"usage: make revoke cert=certificate"}
@openssl ca -config openssl.cnf -revoke $(cert)
@$(MAKE) gencrl
gencrl:
@openssl ca -config openssl.cnf -gencrl -out ca-crl.pem
clean:
-rm ${requests}
# creates required supporting files, CA key and certificate
init:
@test ! -f serial
@mkdir crl newcerts private
@chmod go-rwx private
@echo '01' > serial
@touch index
@openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM
help:
@echo make sign
@echo ' - signs all *.csr files in this directory'
@echo
@echo make revoke cert=filename
@echo ' - revokes certificate in named file and calls gencrl'
@echo
@echo make gencrl
@echo ' - updates Certificate Revocation List (CRL)'
@echo
@echo make clean
@echo ' - removes all *.csr files in this directory'
@echo
@echo make init
@echo ' - required initial setup command for new CA'
# for legacy make support
FORCE: - File number 2 - openssl.cnf
#
# OpenSSL configuration file for custom Certificate Authority. Use a
# different openssl.cnf file to generate certificate signing requests;
# this one is for use only in Certificate Authority operations (csr ->
# cert, cert revocation, revocation list generation).
#
# Be sure to customize this file prior to use, e.g. the commonName and
# other options under the root_ca_distinguished_name section.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
# unsed at present, and my limited certs can be kept in current dir
#certs = $dir/certs
new_certs_dir = $dir/newcerts
crl_dir = $dir/crl
database = $dir/index
certificate = $dir/ca-cert.pem
serial = $dir/serial
crl = $dir/ca-crl.pem
private_key = $dir/private/ca-key.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default
cert_opt = ca_default
default_crl_days= 30
default_days = 365
# if need to be compatible with older software, use weaker md5
default_md = sha1
# MSIE may need following set to yes?
preserve = no
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = ./private/ca-key.pem
default_md = sha1
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = v3_ca
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# req_extensions = v3_req
[ root_ca_distinguished_name ]
commonName = Aventail EMEA
countryName = GB
stateOrProvinceName = London
localityName = London
0.organizationName = aventail.com
emailAddress = test@aventail.com
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl = https://uk.aventail.com/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
- When you have created the above files (you can modify as needed) the run the following command:
make init
Generating a 2048 bit RSA private key
...............................................................................................+++
..................................................+++
writing new private key to './private/ca-key.pem' - This will create the required directories and files for the CA in the directory you are in
Stage 2 – Creating the Wildcard certificate
- Change directory out of the ca directory to a new one (i.e cd /root)
- Create the certificate request:
openssl req –newkey rsa:1024 –keyout aventail.privkey –out aventail.csr
Generating a 1024 bit RSA private key
.........................................................++++++
....++++++
writing new private key to 'aventail.privkey'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aventail
Organizational Unit Name (eg, section) []:EMEA
Common Name (eg, YOUR name) []:*.aventail.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:password
An optional company name []: - This will create 2 files: the private key and the CSR (i.e. aventail.privkey and aventail.csr).
- Copy the CSR file to the ca directory you created above (i.e. cp aventail.csr /aventailca/.)
- Change directory to the CA directory (i.e. cd ~/aventailca)
- Run this command:
make sign
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 1 16:02:10 2006 GMT
Not After : Mar 1 16:02:10 2007 GMT
Subject:
countryName = GB
stateOrProvinceName = London
organizationName = Aventail
organizationalUnitName = EMEA
commonName = *.aventail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
9E:CE:E9:A5:51:EA:D7:D7:A8:B0:2E:B1:8B:98:14:F1:DE:38:B1:AA
X509v3 Authority Key Identifier:
keyid:E8:90:18:0B:6E:CC:DF:D9:B3:31:65:7F:B7:3D:E8:26:8F:E4:83:2
DirName:/CN=Aventail EMEA/C=GB/ST=London/L=London/O=aventail.co/emailAddress=test@aventail.com
serial:00
Netscape CA Revocation Url:
https://uk.aventail.com/ca-crl.pem
Certificate is to be certified until Mar 1 16:02:10 2007 GMT (365 days)
Write out database with 1 new entries
Data Base Updated - This will create the certificate (i.e. aventail.cert)
- Copy the .cert file created (i.e. Aventail.cert) to the directory where you created the csr (i.e. cp aventail.cert /root/.)
- You also need to copy the ca-cert.pem file to the same directory (i.e. cp ca-cert.pem /root/.)
- Change directory to the directory you created the csr file in (i.e. cd /root)
- You now need to copy 3 files together the cert, the privatekey and the ca key (pem file):
cat aventail.ce
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
