Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Generate VPN Authentication Certificates Using XCA

  1. Last updated
  2. Save as PDF

Skyhigh Private Access requires secure certificate management to establish trusted connections for user authentication. You can use the XCertificate and Key management (XCA) tool (version 2.9.0) to generate the necessary certificate infrastructure for your environment.

This process involves generating two types of certificates:

  • Root CA Certificate: You upload this certificate directly to your Skyhigh Security Cloud tenant interface. This deployment allows the Private Access Gateway to verify and trust all user certificates issued by this Certificate Authority (CA).
  • User Certificate: You export this certificate as a .p12 file and install it on client devices (such as iOS or Android). The Skyhigh Security Client uses this certificate to authenticate users and establish a secure Private Access connection.
Before You Begin

Ensure that you:

  • Install XCA version 2.9.0
  • Have permission to create and manage certificates
  • Securely store exported certificate files and passwords
Create a Root CA Certificate

The administrator configures a Root CA certificate to act as the trust anchor for user authentication.

  1. Open the XCA tool.
  2. Go to File > New Database to create a new database.

    clipboard_e190ec54fbc6bb0f70a79c9130fd31b9c.png
     
  3. Enter and confirm a password for the database.
    Ignore any warnings related to the encryption algorithm.

    clipboard_e9dbb7faa0d8915d9281e8f1226c9420e.png
     
  4. Select the Certificates tab, then click New Certificate.

    clipboard_efb4f886db0bdfaf997568c0f55249d59.png
     
  5. In the Create x509 Certificate window, under the Source tab:
    • Set Signing to Create a self signed certificate
    • Set Signature algorithm to SHA384
    • Set Template for the new certificate to [default] CA
    • Click Apply Extensions
    • Click Apply Subject

      clipboard_e770a4c292f4d2348a8f7e02b4852b9ae.png
       
  6. Go to the Subject tab.
  7. Configure the certificate subject details: Replace <customer_name> with a suitable name​​​​​​.
    • Enter an Internal Name
    • Enter a Common Name

      clipboard_eec53ef323587cc4ee3a7cce2c1601304.png
       
  8. Click Generate a new key and configure the following settings:
    • Key type: RSA
    • Key size: 4096 bit
       
  9. Click Create, then click OK after the key generation completes.

    clipboard_ea4f9b8dc0e82787d1e87a88f13c78611.png


    clipboard_e0ff469861c7dcd7cccfcc891ec83c55f.png
     
  10. Open the Extensions tab and configure the following settings:
    • Uncheck X509v3 Authority Key Identifier checkbox
    • Keep X509v3 Subject Key Identifier selected
    • Retain all remaining default settings

      clipboard_ec6d8c5f5747193828318130229367481.png
       
  11. Open the Key Usage tab and select Certificate Sign and CRL sign under X509v3 Key Usage on the left side panel, and retain all other settings as they are.

    clipboard_eacdab0d6d0541e55fe74030c41466d1b.png
  12. Open the Netscape tab and perform the following actions:
    • Clear all selected options
    • Remove any auto-populated entries
    • Retain all remaining default settings

      clipboard_edbec2f15c6f380f7260a1e7eea2d4992.png
       
  13. Open the Advanced tab and click OK.

    clipboard_ebc3508cda737414652ecc08f47a86bbc.png
     
  14. When the success message appears, click OK to create the Root CA certificate.

Create the User Certificate

  1. In the XCA tool, select the previously created Root CA certificate.
  2. Click New Certificate.

    clipboard_e2354ec763eb7396a53ee1e277345bf3e.png
     
  3. In the Create x509 Certificate window, under the Source tab:
    • Set Signing to Use this Certificate for signing
    • Select the previously created Root CA certificate
    • Set Signature algorithm to SHA384
    • Set Template for the new certificate to [default] TLS_client
    • Click Apply Extensions
    • Click Apply Subject

      clipboard_e3c6a7f7563cc705eda188d780d570de5.png
       
  4. Open the Subject tab.
  5. Configure the following fields:
    • Internal Name
    • Common Name

    Use the username or device identifier that requires VPN access.

    clipboard_e935b49fe2a298a9b212c8f357cece37c.png

  7. Click Generate a new key and configure the following settings:
    • Key size: 4096 bit
  8. Click Create, then click OK after the key generation completes.

    clipboard_ef64915c446112cb97980187e53a0cdb8.png

    clipboard_ec333e852e42b5cb078f93094e0187891.png
     
  9. Open the Extensions tab and configure the following settings:
    • Set X509v3 Basic Constraints to Not defined
    • Clear the Critical option
    • Select only X509v3 Authority Key Identifier.

      clipboard_e7c8285c4f24fecf790a77b2dd671aacd.png

  10. In the X509v3 Subject Alternative Name section:

    • Click Edit
    • Select Copy Common Name
    • Click Apply

    Ensure that DNS:copycn appears in the Subject Alternative Name field.

    clipboard_ee931f3f5b6a50e7b04d1ea429c0d2cc2.png

  11. Open the Key Usage tab and retain all the settings as shown in the image.

    clipboard_e7af18fffcf30f37a63fce4a8eb835417.png
     

  12. Open the Netscape tab.

    Clear any automatically selected options and retain the remaining default settings.

    clipboard_e17b08c6a41ae31ec58903a27b029675e.png

  13. Open the Advanced tab and click OK to create the user certificate.

    clipboard_ef0f8b675e4ada74f2fb349af05ef95b4.png

    clipboard_ef7b657b4001148043e8bba0a2bf52cde.png

The User certificate will appear on the dashboard. 

clipboard_ed7e2faf107e9088da803acbc9bccd8fb.png

Export the Root CA Certificate

  1. Select the Root CA certificate.
  2. Click Export.

    clipboard_ef60a3964d40ca422e45d95322880b91d.png
     
  3. Choose the export location.

  4. Set the export format to:

    PEM + Key (*.pem)

  5. Click OK to export the certificate.


    clipboard_e9b4715ca8c4cb89a33cc53f431a5b0b0.png

Export the User Certificate

  1. Select the user certificate.
  2. Click Export.

    clipboard_ee41e8c42a58dc47338624247f362742a.png
     
  3. Choose the export location.

  4. Set the export format to:

    PEM + Key (*.pem)

  5. Click OK to export the certificate.

    clipboard_eb223de7db71da9cafdfbbca9ea961b5f.png

Export the PKCS #12 Certificate

  1. Select the user certificate.
  2. Click Export.

    clipboard_e8823f0ab36be12d4b8152bed03817279.png
     
  3. Choose the export location.

  4. Set the export format to:

    PKCS #12 chain (*.pfx)
     

  5. Click OK.

    clipboard_e5d36ae8b7d6716cdf417c71799861d04.png

  6. When prompted, configure a password for the PKCS #12 file.

    Store the password securely because it is required during certificate import on client devices.

    clipboard_e9dbfc8f99c369a201ba91ccdf5113f64.png

Verify the Exported Certificate Files

  1. Open the exported Root CA certificate and user certificate files in a text editor.

    clipboard_efa60cd67ca71ee73250d8dad0b49e663.png


    clipboard_e596c5c32493454887fcbdbe96698a03c.png

NOTE: Rename the user_name.pfx file to user_name.p12 to change the file extension from .pfx to .p12. The client uses the .p12 file format for certificate import and authentication.

  1. Verify that the certificate files do not contain unnecessary RSA private key header information.

    clipboard_e876e954b71b24d8cb2f6b00d4154d66c.png
     
  2. Ensure that only the required certificate content remains before importing the certificates into the deployment environment.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    This page has no tags.