Onboard devices using your own root certificate authority

In this topic, you will learn how to onboard devices using device certificates signed by your own root certificate authority.

If you have your own certificate authority (CA) that you use to sign device and user certificates, you can use this CA with Portnox Cloud.

Upload your CA certificate

In this section, you will upload your own tenant CA certificate and any intermediate CA certificates to Portnox™ Cloud. This will let Cloud recognize and authenticate your devices that have user/device certificates, which you generated using your own root CA.

Important:

If you sign your user/device certificates using intermediate CAs, you must add all certificates in the certification path to Portnox Cloud. Otherwise, it would be impossible for Cloud to validate the user/device certificates. If so, follow the procedure below for your own root CA certificate and then repeat it for every intermediate CA certificate, or import a PKCS#7 certificate with all the certificates in the certification path.

Before you begin, make sure that you have your certificate file in the X.509 DER encoded binary format (usually with a .pem or .cer extension), the PKCS#12 format (usually with a .pfx extension), or the PKCS#7 format (usually with a .p7b extension).

Open the Portnox Cloud portal.
In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Trusted Root Certificates option.
In the Trusted Root Certificates section, click on the Upload trusted root certificate generated by “Your organization” link. Then, select the certificate file using the ↥ button and click on the Save button to upload the file.

Allow certificates for agentless devices

In this section, you will turn on the option that lets you onboard agentless devices using device certificates. This will let Portnox Cloud automatically create accounts for new devices, not associating them with any users.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Agentless auto-onboarding with certificates option.
In the Agentless auto-onboarding with certificates section, click on the Edit link. Then, select the Allow auto-onboarding with certificates checkbox.
1. In the Group to associate accounts to, select the Portnox Cloud group for all new device accounts.
2. Optional: Select the Use computer name as account name from FQDN in certificate’s SAN checkbox.
  
  If this setting is turned on, the name of the account created in Portnox Cloud for the new device will be based on the FQDN of that device, taken from the certificate’s Subject Alternative Name (SAN) extension. If this setting is turned off or there is no FQDN in SAN, Cloud will generate a unique name for the account.

Generate a certificate

In this section, you will generate a certificate for your device and sign it using the private key paired with your root CA certificate.

Prerequisites: You must have your own certificate authority (CA) configured.

Note:

You can use user certificates and/or device certificates, depending on your Portnox Cloud configuration and business requirements. This example shows device certificates, but the process is the same for user certificates, the only difference being the content of the Subject or SAN fields.

Note:

You can also sign your user/device certificates using intermediate CAs instead of your own root CA, but if you do that, remember to add their certificates to Portnox Cloud in the previous step.

Follow the procedure specific to your operating system and your CA software. The following is an example of how you can generate a device certificate using OpenSSL.

Generate the device key and the certificate signing request (CSR)

$openssl genpkey -algorithm RSA -out mail_server.key
$openssl req -new -key mail_server.key \
  -out mail_server.csr \
  -subj "/C=Homeworld/L=Capital/O=Council/OU=Naranek/CN=mailserver.vorlon.com" \
  -addext "subjectAltName = DNS:mailserver.vorlon.com"

Sign the CSR using your CA

$ openssl x509 -req -in mail_server.csr \
  -CA Vorlon.crt -CAkey Vorlon.key \
  -CAcreateserial -out mail_server.crt -days 365 -sha256

Important:

Portnox Cloud will authenticate devices only if the certificate has correct information in the Subject and Subject Alternative Name (SAN) fields. You have the following options to supply such information when generating certificates using your own CA:

The User Principal Name (UPN) of the device must be present in the SAN field in the following format: machine_name$@domain.ext.

For example:

$openssl req -new -key mail_server.key \
  -out mail_server.csr \
  -subj "/C=Homeworld/L=Capital/O=Council/OU=Naranek/CN=mailserver" \
  -addext "subjectAltName = email:mailserver$@vorlon.com"

The Fully Qualified Domain Name (FQDN) of the device must be present in both the Subject and the SAN fields, and you must select the option Use computer name as account name from FQDN in certificate’s SAN explained above.
For example:
```
$openssl req -new -key mail_server.key \
  -out mail_server.csr \
  -subj "/C=Homeworld/L=Capital/O=Council/OU=Naranek/CN=mailserver.vorlon.com" \
  -addext "subjectAltName = DNS:mailserver.vorlon.com"
```

Optional: Allow AgentP to use your own certificates

In this section, you will configure a specific Portnox™ Cloud group, so that AgentP can use your own certificates instead of default certificates generated by Cloud.

Important:

If you want to use device certificates, they must have the following information, so that Portnox Cloud can correctly align the certificate with the account created for the device:

The Subject Alternative Name (SAN) of the certificate must contain the UPN of the device, for example, sigma957@vorlon.com, or
The Subject of the certificate must contain the FQDN of the device, for example, sigma957.vorlon.com.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand side menu, click on the Services > GENERAL SETTINGS > Set AgentP configurations option.
Enable custom certificate support in AgentP:
1. Click on the Edit link.
2. Activate the Enable authentication with custom certificates checkbox.
3. Click on the Save button.
In the Cloud portal top menu, click on the Groups option.
Click on the ⋮ icon on the right-hand side of the selected group name and select the Group settings option from the pop-up menu to begin the process of editing the selected group.
Scroll down to the Authentication certificate section, and select the Issued by custom trusted root certificate option. Then, in the drop-down menu field that appears, select your custom root certificate.

Important:
If you sign your user/device certificates using an intermediate CA, you can select either your intermediate CA or your root CA here. However, if you sign your user/device certificates using several intermediate CAs under the same root, you must select your root CA here.
To save your group settings, click on the Save button on the bottom right of the page.

Note:

This configuration is set at the group level, so if you want users in other groups to use AgentP with your own certificates, you’ll need to perform this procedure separately for each of those groups.

Connect the device to the network

In this section, you will configure the network connection for the device.

Follow the procedure specific to your operating system, skipping the steps for obtaining the certificate:

Important:

When you configure your network connections and the guide asks you to select the DigiCert Trusted Root G4 certificate, do not substitute that step with your own root CA. You must always select the DigiCert Trusted Root G4 certificate when asked to do it, even if you use your own root CA. This is because this is a trust certificate, which is used by your devices to validate the Portnox RADIUS server, not by the Portnox Cloud to validate your devices. For more explanation, see the following topic: Types of certificates.