Onboard a Linux device to a network with certificates and self-onboarding

In this topic, you will learn how to onboard using certificates, the self-onboarding portal, a Linux computer, and a network managed by Portnox™ Cloud.

The self-onboarding portal is for users who have accounts based on external authentication repositories or Portnox Cloud accounts. If you have a contractor account in Cloud, configure the network manually using credentials or use Certmonger to obtain a certificate.

If you already downloaded and installed the certificate for the same device, for example, to authenticate with another type of network, you don’t need to install the certificate again and you should skip the relevant steps.

Warning: This configuration was tested and applied in practice on Ubuntu 22.04 LTS. It may not work out-of-the-box with other Linux versions, including other versions of Ubuntu. Before starting, make sure that you can connect to regular wired and/or wireless networks from the machine.

Download and install the certificate

In this section, you will generate, download, and install the user certificate on your device.

Enter the URL of the self-onboarding portal in your browser.
To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.
In Step 1, select the third option: CLEAR account certificate management and click on the Next button.
In Step 2, you can select the Corporate email address option or the Corporate username and password option. Select the Corporate email address option if Portnox Cloud manages your user repository. Select the Corporate username and password option if you have integrated Cloud with an external repository. Proceed with the following steps depending on your choice.
If you have chosen Corporate email address:
Important: Only choose the Corporate email address option if Portnox Cloud manages your user repository. Cloud manages the user repository if it’s not integrated with any external repositories such as Microsoft Azure (Entra ID), Google Workspace, or Okta Workforce Identity.
1. In the Email field, enter your corporate email address and click on the SIGN IN button.
  
  If you activate the Automatically generate secure password and send me by email checkbox, you will receive a separate email with a Portnox Cloud password. If so, you should use this password in the next steps.
2. Open your email client and find the email received from Portnox Cloud containing a one-time activation code. Copy this code to the clipboard.
  
  If you activated the Automatically generate secure password and send me by email checkbox in the previous step, do not confuse the password email with the code email. They are two separate emails.
3. In the self-onboarding portal, paste the code in the Activation code field and click on the CONFIRM button.
If you have chosen Corporate username and password:
1. Click on the tile that represents the authentication repository you want to use to sign in. If you want to use Okta Workforce Identity, enter your Okta login and password and click on the SIGN IN button.
  
  Note: Options depend on the repositories integrated with Portnox Cloud: Microsoft Azure (Entra ID), Google Workspace, and/or Okta Workforce Identity.
2. Complete the steps needed to sign in. These steps depend on the chosen authentication repository.
Click on the OBTAIN CERTIFICATE button to download the user certificate generated for your device.

Note: If you want to replace a certificate you created earlier, for example, because the old one expires soon, click on the REISSUE CERTIFICATE button instead.

Result: You downloaded the PKCS12 file that contains the CA certificate, the user certificate, and your private key with an empty password.

Convert the PKCS12 certificate to separate files

In this section, you will convert the downloaded PKCS12 certificate to separate files, which you can use to connect to the network.

Extract your private key to a separate file.
```
$openssl pkcs12 -nocerts \
  -in downloaded_file.p12 \
  -out key_file.pem
```
- Replace /path/to/downloaded_file with the name and location of the file you downloaded in the previous step.
- Replace /path/to/key_file with the name and location of the file where you want to save your private key.
- In the Enter Input Password: prompt, press Enter (empty key).
- In the Enter PEM pass phrase: prompt, enter the password to use for your private key (you will later use that password when configuring the network).
Example:
```
$openssl pkcs12 -nocerts \
  -in /home/vboxuser/Downloads/vorlon.p12 \
  -out /var/portnox/protected.pem
```
Extract your user certificate to a separate file.
```
$openssl pkcs12 -nokeys \
  -in /path/to/downloaded_file.p12 \
  -out /path/to/certificate_file.pem
```
- Replace /path/to/downloaded_file with the name and location of the file you downloaded in the previous step.
- Replace /path/to/certificate_file with the name and location of the file where you want to save your user certificate.
- In the Enter Input Password: prompt, press Enter (empty key).
Example:
```
$openssl pkcs12 -nocerts \
  -in /home/vboxuser/Downloads/vorlon.p12 \
  -out /var/portnox/public.crt
```

Download and convert the root CA certificate

In this section, you will download the Portnox™ Cloud root CA certificate> from the Cloud portal and convert it to a format that you can later use to connect to the network.

Open the Portnox Cloud portal and log in.
In the Cloud portal top menu, click on the Settings option.
In the right-hand side pane, find and click on the CLEAR RADIUS SERVICE heading.

The active servers appear under the CLEAR RADIUS SERVICE heading and description along with advanced options.
Click on any of the active RADIUS services to show its configuration.
Click on the Download root certificate link to download the root CA certificate.
If you’re working on a Linux desktop, use OpenSSL to convert the certificate to PEM format.
```
$openssl x509 -inform der \
  -in downloaded_file.cer \
  -out certificate.crt
```
Note: The file extension does not identify the certificate format. PEM format certificates most commonly use the .crt extension, but in some operating systems, they may use the .pem extension. On the other hand, the .crt extension may also be used by DER format certificates. Read more about certificate formats and file extensions in the following topic: Certificate formats.

Then, skip to the next section.
For example:
```
$openssl x509 -inform der \
  -in rootCertificate.cer \
  -out /var/portnox/portnox_ca.crt
```
Note: The remaining steps in this section are for Windows desktops only.
If you’re working on a Windows desktop, double-click on the downloaded certificate file and click on the Open button in the Security warning window.
In the Certificate window, click on the Details tab and then click on the Copy to File button.
In the Certificate Export Wizard, export the certificate in base-64 encoded format.
1. In the first step of the wizard, click on the Next button.
2. In the second step of the wizard, select the Base-64 encoded X.509 (.CER) option.
3. In the third step of the wizard, select a file to save the exported certificate, and click on the Next button.
4. In the last step of the wizard, click on the Finish button. Then, close the Certificate window.
Copy the exported certificate to the Linux device.
The exported base-64 encoded file is a simple text file. If you’re running Linux in a virtual machine, you can simply copy and paste the content of the file into a relevant file in Linux.

For example, save the file as /var/portnox/portnox_ca.crt.

Configure your network connection with the Portnox Cloud certificate

In this section, you will configure NetworkManager on Linux to connect to the network managed by Portnox™ Cloud using your user certificate and private key.

Edit the NetworkManager connection file for the network to connect to.

Examples:

$sudo nano '/etc/NetworkManager/system-connections/'Wired connection
                                    1.nmconnection'

$sudo nano /etc/NetworkManager/system-connections/HOMEWORLDWIFI1.nmconnection

Add the following section to the configuration file:
```
[802-1x]
ca-cert=/path/to/radius_ca_file.crt
client-cert=/path/to/public_key.crt
eap=tls;
identity=clear@identity
private-key=/path/to/protected_private_key.pem
private-key-password=private_key_password
```
Additionally, for Wi-Fi connections:
```
[wifi-security]
key-mgmt=wpa-eap
```
1. Replace /path/to/radius_ca_file.crt with the name and location of the root CA certificate file exported in the previous step.
2. Replace /path/to/public_key.crt with the name and location of the file where you stored the user certificate for your device.
3. Replace clear@identity with the corporate email address of the user to authenticate.
4. Replace /path/to/protected_private_key.pem with the name and location of the file where you stored the password-protected private key.
5. Replace private_key_password with the private key password that you set earlier.
Example:
```
[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=/var/portnox/portnox_ca.crt
client-cert=/var/portnox/public.crt
eap=tls;
identity=kosh@vorlon.com
private-key=/var/portnox/protected.crt
private-key-password=ZSGWhozKJyQRZ9Are6mUeWhXYou9FMbtT
```
Restart NetworkManager.
```
$sudo systemctl restart NetworkManager
```

Connect to the network using NetworkManager CLI.

Examples:

$sudo nmcli connection up 'Wired connection 1'

$sudo nmcli connection up HOMEWORLDWIFI1