Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Generate Certificate Authority (CA) and User Identity (.p12) Certificates using XCA Tool

  1. Last updated
  2. Save as PDF

The Skyhigh Mobile Client application enables end users to securely access the Internet and private applications from Android devices. When end users access websites or private applications, the traffic is forwarded to the Skyhigh SWG (Cloud & On-Prem) for policy enforcement before it is forwarded to the actual website or private application.

NOTES: 

  • This topic is intended for MDM administrators who manage end users' Android devices via the Skyhigh Mobile Client app. 
  • Skyhigh recommends creating a new user group and applying all relevant policies and configurations to the group. Once the Skyhigh Mobile Client setup and deployment are complete, MDM administrators can add new users to the group.

Prerequisites 

Generate a self-signed certificate authority(CA) and use this file to generate a user identity(.p12) file. Upload the CA file to the Skyhigh UI. Download the customer Tenant CA certificate from the Skyhigh UI.

  • MDM Setup: Create a VPN profile along with a user identity(.p12) file and  Customer tenant CA certificate and push it directly to the Android devices using MDM. 
  • BYOD Setup: Share the Customer tenant CA certificate and upload a user identity (.p12) file to the user. The user has to install the CA certificate and trust in the device settings. The user has to install the app and upload p12 file which creates VPN.
Generate Certificate Authority (CA) and User Identity (.p12) certificates

Create a self-signed CA file and use the same file to generate the User Identity files and sign those. 

NOTE: You can create one user identity file per user or device.

▼ Generate Certificates using XCA tool

You can generate the certificate using the XCA tool. 

  1. Download and install the XCA 2.4.0 tool
  2. Create a New Database, go to File  > New Database, and enter the password to save it.

Picture1.png

  1. Click the Certificates tab. 

Picture2.png

  1. Click New Certificate

Picture3.png

  1. Select Create a self signed certificate as the signing option. 

    12.png

 

  1. Select Signature algorithm as SHA384

Picture5.png

  1. Select Template for the new certificate as [default] CA.

Picture6.png

  1. Click Apply extensions and Apply subject.

Picture7.png

  1. Click the Subject tab.

Picture8.png

  1. Enter Internal Name and commonName.

Picture9.png

  1. Click Generate a new key.

Picture10.png

  1. Select keytype as RSA and Keysize as 4096 bit.

Picture11_1.png

  1. Click Create.

Picture12.png

Key created message window appears. 

Picture13.png

  1. Go to the Extension tab and retain all the settings as is.

Picture14.png 

  1. Go to the Key Usage tab and retain all the settings as is.

Picture15.png

  1. Go to the Netscape tab and remove any selected options.

Picture16.png

  1. Go to the Advanced tab and review all the information. 

Picture17.png

  1. Click OK to create the CA certificate.

Picture18.png

  1. Click the Certificates tab. 

Picture2.png

  1. Select the recently created root_CA certificate.

Screenshot 2023-12-12.png

  1. Click New Certificate

Screenshot 2023-12-12_1.png

  1. Select the previously created CA(root_CA) certificate as the signing option. 

Picture21.png

  1. Select Signature algorithm as SHA384

Picture23.png

  1. Select the template for the new certificate as [default] TLS_client or [default] HTTPS_client.

Picture24.png

  1. Click Apply extensions and Apply subject.

Picture25.png

  1. Click the Subject tab, enter Internal Name and commonName. Make sure the file name is the same as the common Name. 

Picture26.png

  1. Click Generate a new key.

Picture27.png

  1. Select keytype as RSA and Keysize as 4096 bit.

Picture28.png

  1. Click Create.

Picture29.png

The key created message window appears. 

Picture30.png

  1. Go to the Extension tab. Select x509v3 basic Constraints type as Not defined and uncheck the Critical option. 

Picture31.png

  1. Select Key identifier as x509v3 Authority key Identifier.

Picture32.png

  1. Click Edit in the Select X509v3 Subject Alternative Name option. 

Picture33.png

  1. Enable the Copy Common Name setting and click Apply

NOTE: If Copy common name is not available, then manually enter the DNS:user1”(user1 as the common name of the client certificate added in step 26) in the X509v3 Subject Alternative Name field.

Picture33_1.png

Picture34.png

  1. Go to Key Usage tab, select options from the list as per the image below. 

Picture35.png

  1. Go to the Netscape tab and remove any selected options.

Picture16.png

  1. Go to the Advanced tab and review all the information. 

Picture37.png

  1. Click OK to create the CA certificate.

Picture38.png

  1. Select CA certificate and click Export.

38.png

  1. Select File Location and Export Format as PEM + Key (*.pem) for CA certificate. Click OK to save the file.

Picture41.png

  1. Select Client certificate(user1) and click Export.

39.png

  1. Select File Location and Export Format as PEM + Key (*.pem) for client certificate. Click OK to save the file.

Picture42.png

  1. Select Client certificate(user1) and click Export.

39.png

  1. Select File Location and Export Format as PKCS #12 chain (*.pfx) for the client certificate. Click OK to save the file. Make sure the file name is the same as the common Name.

Picture43.png

  1. Enter the Password and select Ok to save the file.

Picture44.png

  1. Go to the file location and open CA and Client file in any text editor. Verify only certificate part is available in the file. remove extra information, if any. 

Picture45.png

Picture46.png

  1. Rename Client file (user1) .pfx file as .p12 file.

Picture47.png

Upload CA certificate generated to the Skyhigh Security UI

 Upload the CA certificate generated in Step 1 to the Skyhigh Security UI.

NOTE: After this step, wait for 30-40 minutes before connecting VPN

  1. Go to Settings > Infrastructure > Web Gateway Setup.

    1.png
     
  2. Click Configure on the Skyhigh Mobile Cloud Security setting.

    2.png
     
  3. Click Upload and select the custom CA certificate.

NOTE: supported certificate formats are DER, PEM, CRT, and CER.

3.png

  1. Specify the User name and an optional User Group in the User Identity certificates. 

    4.png
     
  1. Click Save

    5.png
     
  1. Click Upload & Test and upload the User identity file with format as .cer, .crt, .pem or .der to validate the CA and user Identity file.

    6.png
     
  1. Click Save to save the configuration. 

    7.png
     
  1. Click Publish to apply the changes. 
Download Tenant Customer CA from Skyhigh UI 
  1. Go to Policy > Web Policy > Feature Configuration

    8.png
     
  1. Select HTTPS connections > Customer CA.

    9.png
     
  1. Select Customer CA and click Export to download the Customer CA file.

    10.png
  2. Share this Customer CA certificate with the user if selecting Manual VPN config. 
Download and Install the Customer Root CA Certificates and P12 Certificate
  1. Download the Customer Root CA certificate using this link
  2. Use the P12 certificate generated by the XCA tool. To generate, see User Identity (.p12) certificates section 
  3. To install the certificate, go to Settings > Security and Privacy > More security settings
  4. Tap Install from device storage.

    244_1.jpeg
  5. On the Install from device storage screen, perform the following: 
    1. To install the CA certificate, tap the CA certificate
  6. To install the VPN certificate, tap the VPN and app user certificate. 

    245_1.jpeg

    Once the certificates are installed or pushed to the device, install the Skyhigh Mobile Client app from the Google Play Store. For more information, see Skyhigh Mobile Client App for Android Devices.