Onboard devices using your own root certificate authority

Upload your CA certificate

In this section, you will upload your own tenant CA certificate to Portnox™ Cloud. This will let Cloud recognize and authenticate your devices that have device certificates, which you generated using your own root CA.

Before you begin, make sure that you have your certificate file in the X.509 DER encoded binary format (usually with a .pem or .cer extension) or the PKCS#12 format (usually with a .pfx extension).

Open the Portnox Cloud portal.
In the Cloud portal top menu, click on the Settings option.
In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

More options appear under the CLEAR GENERAL SETTINGS heading and description.
Scroll down to the TRUSTED ROOT CERTIFICATES section and click on the Upload trusted root certificate generated by “Your organization” link. Then, select the certificate file using the ↥ button and click on the Save button to upload the file.

Allow certificates for agentless devices

In this section, you will turn on the option that lets you onboard agentless devices using device certificates. This will let Portnox Cloud automatically create accounts for new devices, not associating them with any users.

In the Cloud portal top menu, click on the Settings option.
In the right-hand side pane, find and click on the CLEAR GENERAL SETTINGS heading.

More options appear under the CLEAR GENERAL SETTINGS heading and description.
Scroll down to the AGENTLESS AUTO-ONBOARDING WITH CERTIFICATES section and click on the Edit link. Then, select the Allow auto-onboarding with certificates checkbox.
Optional: Select the Use computer name as account name from FQDN in certificate’s SAN checkbox.

If this setting is turned on, the name of the account created in Portnox Cloud for the new device will be based on the FQDN of that device, taken from the certificate’s Subject Alternative Name (SAN) extension. If this setting is turned off or there is no FQDN in SAN, Cloud will generate a unique name for the account.

If you select this option, in the Group to associate accounts to, select the Portnox Cloud group for all new device accounts.

Generate a certificate

In this section, you will generate a certificate for your device and sign it using the private key paired with your root CA certificate.

Prerequisites: You must have your own certificate authority (CA) configured.

Note: You can use user certificates and/or device certificates, depending on your Portnox Cloud configuration and business requirements.

Follow the procedure specific to your operating system and your CA software. The following is an example of how you can generate a device certificate using OpenSSL.

Generate the device key and the certificate signing request (CSR)

$openssl genpkey -algorithm RSA -out mail_server.key
$openssl req -new -key mail_server.key \
  -out mail_server.csr \
  -subj "/C=Homeworld/L=Capital/O=Council/OU=Naranek/CN=mailserver.vorlon.com" \
  -addext "subjectAltName = DNS:mailserver.vorlon.com"

Sign the CSR using your CA

$ openssl x509 -req -in mail_server.csr \
  -CA Vorlon.crt -CAkey Vorlon.key \
  -CAcreateserial -out mail_server.crt -days 365 -sha256

Important: Portnox Cloud will authenticate devices only if the certificate has correct information in the Subject and Subject Alternative Name (SAN) fields. You have the following options to supply such information when generating certificates using your own CA:

The User Principal Name (UPN) of the device must be present in the SAN field in the following format: machine_name$@domain.ext.

For example:

$openssl req -new -key mail_server.key \
  -out mail_server.csr \
  -subj "/C=Homeworld/L=Capital/O=Council/OU=Naranek/CN=mailserver" \
  -addext "subjectAltName = email:mailserver$@vorlon.com"

The Fully Qualified Domain Name (FQDN) of the device must be present in both the Subject and the SAN fields, and you must select the option Use computer name as account name from FQDN in certificate’s SAN explained above.
For example:
```
$openssl req -new -key mail_server.key \
  -out mail_server.csr \
  -subj "/C=Homeworld/L=Capital/O=Council/OU=Naranek/CN=mailserver.vorlon.com" \
  -addext "subjectAltName = DNS:mailserver.vorlon.com"
```

Optional: Allow AgentP to use your own certificates

In this section, you will configure a specific Portnox™ Cloud group, so that AgentP can use your own certificates instead of default certificates generated by Cloud.

Important: This feature is not supported by default for your tenant. Before you begin, contact us at support@portnox.com and ask to configure your tenant to support this feature.

Important: If you want to use device certificates, they must have the following information, so that Portnox Cloud can correctly align the certificate with the account created for the device:

The Subject Alternative Name (SAN) of the certificate must contain the UPN of the device, for example, sigma957@vorlon.com, or
The Subject of the certificate must contain the FQDN of the device, for example, sigma957.vorlon.com.

In the Cloud portal top menu, click on the Groups option.
Click on the ⋮ icon on the right-hand side of the selected group name and select the Group settings option from the pop-up menu to begin the process of editing the selected group.
Scroll down to the Authentication certificate section, and select the Issued by custom trusted root certificate option. Then, in the drop-down menu field that appears, select your custom root certificate.
To save your group settings, click on the Save button on the bottom right of the page.

Note: This configuration is set at the group level, so if you want users in other groups to use AgentP with your own certificates, you’ll need to perform this procedure separately for each of those groups.

Connect the device to the network

In this section, you will configure the network connection for the device.

Follow the procedure specific to your operating system, skipping the steps for obtaining the certificate: