The following tutorial is to configure ZoneBuilder using your own CA signed certificates. This allows an admin to control sharing and distributing the certificates. This is needed if you would like your SafeConsole Ready devices to be shared without knowing the device password. Attached to this Article is the OpenSSL windows binary that will need to be downloaded and extracted before following along.
To use your own certificates with the ZoneBuilder feature of SafeConsole you will need to upload your CA public key to SafeConsole. If you do not have one, you can create one with openssl using the following command.
openssl genrsa -out ca.key 2048 openssl req -new -x509 -sha256 -config openssl.cnf -days 3650 -key ca.key -out ca.crt
*The openssl.cnf file location will depend on your system. Usually one is included with the openssl install. Changes to the config file is optional.
1) Choose the correct domain for which you want to enable ZoneBuilder for Please see THIS KB article for more information on selecting the right domain.
2) Go to the ZoneBuilder tab
3) Select View Certificates
You can then add a new certificate. The certificate must be either a PKCS12 file or an X509 certificate. An X509 certificate must be either DER or Base64 encoded. Enter the password if applicable to the certificate. After the certificate is uploaded, select it from the dropdown menu.
You will now have to generate client certificates and push them out. The client certificate requires the following key usage: Digital Signature, Key Encipherment, Data Encipherment, and Key Agreement.
One way to generate these client certificates is with the following openssl commands
openssl genrsa -out client.key 2048 openssl req -new -sha256 -config openssl.cnf -key client.key -out client.csr openssl x509 -req -sha256 -days 1826 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -chain -CAfile ca.crt
Here is a video walk through enabling ZoneBuilder and creating certificates with OpenSSL
You will need to install these certificates to the client's machine. If you would like to share devices between teams then everyone on that team should have the same client certificate. The amount of client certificates that you generate and how they are shared with your clients depends on how you want to share devices. See this article for an example on how to share the client certificate.
Share devices without using the password. Installing the same client certificate on multiple computers will allow the certificate to be trusted once, you can then take the device to any computer with that certificate and unlock it without the password. Please check box 3) and optionally 4) to enable this.
Enable two factor authentication by using both the device password and requiring the certificate to be installed on the client's computer when the device is used offline by enabling "Only allow device usage on computer linked within your Trusted Zone" Please check box 1) and uncheck box 2)
Create a temporary time limited certificate to control how long a client can use the device.