Through the CradlePoint administration pages you now have the ability to create, manage, sign, and import/export X.509 certificates – frequently referred to as SSL certificates – under Network Settings → Certificate Management. Our implementation integrates an OpenSSL toolkit solution. It includes the ability to create your own CA certificates and self-signed certificates.
For background information on digital certificates, see the following Wikipedia articles:
Digital certificates have multiple possible uses in a CradlePoint networking setup. For example, a digital certificate is a much more secure option for VPN tunnel authentication than a pre-shared key.
Go to the following sections for more information about specific certificate management options:
- Create Certificates – includes CA certificates and self-signed certificates
- Certificate Signing Request (CSR) – generate a CSR for third-party signing
- Local Certificates – list of certificates on the device; includes Remove certificate option
- Import/Export PEM Format Certificates
- Import/Export PKCS #12 Format Certificates
Not all Certificate Management options displayed here are currently available via the Enterprise Cloud Manager configuration pages.
Complete the following fields to create certificates locally, including CA (certificate authority) certificates.
To create local certificates without sending signature requests to a third-party CA, first create a CA certificate with this interface and then create additional certificates that you sign with your CA:
- Step 1: Create a CA certificate. In the Issuer section select Set as CA certificate.
- Step 2: Create additional certificates. In the Issuer section select Sign with CA certificate and then select the CA certificate you created in step 1 from the dropdown list.
- Name: Choose a name meaningful to you.
- Set as CA certificate: Select if the certificate you are creating is intended to be a CA.
- Sign with CA certificate: Select to sign this certificate with a CA you created previously.
- Certificate Name: Select your CA certificate from the dropdown list of local certificates.
- Country Name: 2-letter country code (e.g., AU, UK, US)
- State or Province Name: The name of your state or region
- Local Name: Generally the city or town
- Organization Name: Company name
- Organization Unit: Company division name
- Common Name: Must be unique; if used for authentication, this must match the configured Common Name (CN) on the third-party authenticator
- Email Address
- Days: Input the number of days the certificate should remain valid (999 days maximum).
Public Key Algorithm
- Type: Select one of the following:
- Digest: The following cryptographic hash functions are listed in order of increasing security. More security requires more router resources.
- Bits: A greater bit size is more secure, but requires more router resources. Some devices do not support 2048 bits, so ensure compatibility.
Certificate Signing Request
Request a certificate signature from a remote CA. Using an established, third-party CA increases the likelihood that your certificate will be trusted by others (see security issues for self-signed certificates for more information).
Generate a certificate signing request (CSR) by selecting a certificate from the dropdown list (Name field) and downloading the CSR. The CSR can then be sent to a remote CA for a signature. Once the certificate has been signed, import the certificate in PEM or PKCS #12 format.
When you export the CSR, select a Digest, or cryptographic hash function. These are listed in order of increasing security. More security requires more router resources.
This is a table of local certificates, including certificate details.
Remove a local certificate by selecting the certificate and clicking the Remove button.
- Name: Friendly description of the certificate.
- Country: (C) The certificate owner’s country of residence.
- State or Province: (ST) the certificate owner’s state or province of residence
- Location: (L) The certificate issuer’s locality (city, town, etc.).
- Org.: (O) The organization to which the certificate issuer belongs.
- Org. Unit: (OU) The name of the organizational unit to which the certificate issuer belongs
- Common Name: (CN) Name used to match authentication credentials.
Import/Export PEM Format Certificates
PEM is a container format for encoding data – in this case, X.509 certificates. PEM was originally designed for encoding email (PEM stands forPrivacy-enhanced Electronic Mail), but it has never been widely used for that purpose. The format is much more common for encoding digital certificates.
Choose a certificate file in PEM format from your computer or local device and upload it to the router. Give the certicate a name that is meaningful to you.
Select a local certificate from the dropdown list and download it to your computer or local device in PEM format.
Import/Export PKCS #12 Format Certificates
PKCS #12 is one of the public-key cryptography standards. PKCS #12 files bundle public and private certificate keys in an archive file format. The PKCS #12 container format is more secure than the PEM container format because it is protected by an encryption key.
Choose a certificate file in PKCS #12 format from your computer or local device and upload it to the router. Give the certicate a name that is meaningful to you.
PKCS #12 files are protected by a passphrase – you must know this key to import the file.
Select a local certificate from the dropdown list and download it to your computer or local device in PKCS #12 format.
When you export this file, you must create a passphrase to protect it. This key is required for future use of the file.
NOTE: This article may contain links that direct you to non-CradlePoint, Inc. owned websites, and these links are not under the control of CradlePoint, Inc. or any of its representatives. CradlePoint, Inc. is not responsible for the content of any linked site or any link contained in a linked site or any changes or updates to such sites outside of cradlepoint.com. CradlePoint is providing these links as a convenience, and the inclusion of any link does not imply endorsement of the site by CradlePoint, Inc. or any of its representatives.