VPNs (virtual private networks) are the backbone of any corporate security infrastructure. They not only protect the sharing of internal resources but also make remote working possible by providing a platform for such a sharing to happen. However, such VPNs aren’t your simple everyday ones. They are not a web service but a full-fledged network. And as such, they have a unique infrastructure. One characteristic of a corporate VPN is genuine authentication through a certificate.
VPNs are quite influential against external threats due to their authentication process. In a corporate VPN, users can implement both pre-shared keys and certificates as the authentication method. A VPN certificate is quite useful as it can’t be easily manipulated. Unlike credentials, it is hassle-free and automated enough to generate authentication by simply initiating a VPN connection. Today, you learn more about a VPN certificate.
What is a VPN certificate?
A VPN certificate doesn’t contain any information by itself, at least nothing particular to the virtual private network. Thus, you can use such certificates for authentication in any VPN, for example, a policy-based or route-based one. However, for a VPN certificate to work, the authority has to handle allocation. Hence, a certificate authority or CA (Certificate Authority) manages the proof of identity independent of the VPN. Afterward, the VPN configures its infrastructure, such as the VPN gateways, to trust and authenticate the CA who signed the certificate. Then these gateways create VPN tunnels to allow any traffic that originates with such certificates that the other gateways have accepted.
Since any certificate signed by the CA that corresponds with the VPN policies gets accepted, it doesn’t affect VPN traffic. Even when they get changed, added, or removed, as long as the proof of identity corresponds to the CA, certificates are functional. Hence, a single certificate can get used for several VPN clients. Although they are useful, they are not mandatory for the authentication process. However, they reduce the maintenance work as they do not need to be changed. Another characteristic of a VPN certificate is that it has an expiration period. Thus, in the event of any expiry, a new certificate is needed.
How to manage a VPN certificate
It is necessary to manage VPN certificates to make the authentication smooth and prevent any logical conflict. Hence, either internal or external CA can generate a certificate. Additionally, both the sharing and receiving VPN gateways can trust it. Thus, there are several methods/options for signing a VPN certificate, such as:
- A dedicated internal RSA (Rivest Shamir Adleman) CA and its counterpart ECDSA (Elliptic Curve Digital Signature Algorithm) CA come together to form the Management server for any corporate VPN. Hence, any VPN clients associated with this server will utilize the certificates signed by them.
- You can only set one internal CA as default. Thus, the whole management will be automatic if the default CA signs the new certificate.
- One can also create certificate requests in the VPN management, export them, sign them using an external CA and import them.
- You can generate RSA certificates via similar steps.
- Then the internal RSA CA or internal ECDSA CA can also sign certificate requests created by external components. Doing so will support remote VPN clients.
VPN certificate features
A VPN certificate works in tandem with IKE (internet key exchange). Thus, the attributes of the said certificate are as follows:
- A digital certificate obtained by a third-party CA or from a private CA can use this configuration. A self-signed certificate can also work.
- VPNs can create certificate signing requests to import the relevant certificates.
- Both peers/gateways must trust the common CA. Hence, the management server must sign the user certificate.
- The server only requires its certificate. It doesn’t need to know every individual certificate of connected or potential users.
- The server will only accept certificates signed by the default CA.
- If the private key gets compromised, it can get disabled by adding its certificate to a CRL (certificate revocation list).
- The server can enforce client access rights based on certificates.
Limitations of VPN certificates
A VPN certificate has its limitations. It isn’t all-powerful. And it has to function within pre-existing logical boundaries. Thus, to work flawlessly, some negatives observed are as follows:
- All gateways in the same VPN must support the same CA. Otherwise, any VPN communication runs a risk of failure. A blatant example is when you use an internal ECDSA CA for gateways as the default CA. And this default CA must sign every other certificate for the VPN to function.
- VPN gateways store certificates for establishing a VPN connection. However, these certificates do not fall under management server backup. Thus, they remain unchanged in an event of a restoration.
- A certificate without a corresponding private key is unusable. It can generate new certificates under such events.
- The issuing CA examines external certificates. Moreover, it can easily revoke necessary access. This is so it can prevent network corruption when a certificate is compromised.
Guide to configure new certificates for VPNs
The WMS (workspace management server) includes an integrated CA and OCSP (Online certificate status protocol) server. Together, they can issue certificates to remote clients for client certificate-based authentication. Thus, you can use your VPN Cert window to download the Workspace root CA certificate. These are the relevant steps:
- First, click the setting icon in the top right corner of your management server user interface and select VPN Cert. It will take you to the VPN certificate page.
- Now click the VPN certificate link to download the CA certificate corresponding to your management server.
- Then click on regenerate to renew the expired certificate.
- Now, if prompted, select yes.
- Click on the VPN certificate link to download the regenerated cert.
- Then log in to your VPN appliance and navigate to settings.
- From here, you can locate and click on configuration and then certificates.
- In the certificates option, you then click on Trusted Client CAs.
- Now delete your old CAs.
- Click on import CA certificate to upload the cert.
Replace expired certificates
Due to obvious security reasons, VPN certificates have a limited life span. And such certificate needs replacement after a certain period. For example, VPN certificates issued by the internal RSA CA and the internal ECDSA CA are both valid for three years. And in a case where you have both internal CAs, then only one can act as a default. Thus, activating the automatic RSA certificate management can issue certificates under the default CA and renew them automatically.
However, the prerequisite is that the certificate-related files, including the private key, remain intact. These new certificates are, by default, CA assigned automatically to VPN gateways. Further, certificates not signed under the default CA, if any, must be manually created and signed. Thus, if soon to expire certificates get assigned to VPN gateways for authentication, one can create new certificates for VPN clients manually.