Configure an external Certificate Authority

You can use the cert_manage CLI command to view and configure attributes for external certificate management.

Note: The cert_manage CLI tool can only be run on a primary lighthouse, by a root user. A lighthouse user may sudo to assume root permissions.

Caution:
  • Configuration of an external certificate authority (CA) is permanent. When you configure an external CA:
    • You cannot revert back to using the internal CA.
    • Certificate management fully depends on the external CA.
    • System operations may be affected if the external CA becomes unavailable.

  • Certificates issued for use by Lighthouse should have Digital Signature key usage, and MUST have no critical key usage extensions.

  • An external CA can only be configured on a Lighthouse that does not have any Opengear devices or secondary instances enrolled.

  1. SSH into Lighthouse as root.

  2. Use the --edit argument as follows to configure the external CA.

    root@lighthouse:~# cert_manage external-ca --edit
              Name [None]: <VALUE>
              Description [None]: <VALUE>
              CA URL [None]: <URL>
              SCEP Secret [None]: <VALUE>
              OCSP Responder URL [None]: <VALUE>
              OCSP Encryption Algorithm (SHA1, SHA256)[SHA1]: <VALUE>
              Certificate Subject Attributes (included in CSR for all certificates)
                       Country [None]: <VALUE>
                       State/Province [None]: <VALUE>
                       Locality [None]: <VALUE>
                       Organization [None]: <VALUE>
                       Organizational Unit [None]: <VALUE>
                       Email Address [None]: <VALUE>
    WARNING: Configuring an External Certificate Authority (CA) is permanent. Once configured:
    - You cannot revert to using the internal CA.
    - Certificate management will depend fully on the external CA.
    - System operations may be affected if the external CA becomes unavailable.
    Do you want to continue? [yes/no] <VALUE>
    Proceeding with External CA configuration...

    The following table describes what to enter for each value:

    Value Description
    Name Name of the certificate authority to configure. This is a string with a maximum length of 64 characters.
    Description A description of the certificate authority. This is a string with a maximum length of 128 characters.
    CA URL The URL that Lighthouse uses to communicate with the certificate authority. This is a string that contains the full URL that Lighthouse uses to communicate with the external CA, including any CA identification string.
    SCEP Secret A pre-shared secret to be used for all requests to the configured CA. This is a stored encrypted string.
    OCSP Responder URL The optional responder URL to check certificate status using OCSP.
    OCSP Encryption Algorithm (SHA1, SHA256) [SHA1] Allows the selection of the cryptographic algorithm used to sign OCSP responses.
    Certificate Subject Attributes

    Enter the following optional attributes as required:

    • Country Name: The Country value must be an ISO3166 country code.

    • State/Province

    • Locality

    • Organization

    • Organizational Unit

    • Email Address

  3. Initialize the external CA:

    root@lighthouse:~# cert_manage external-ca --init

    This command returns an error if the SCEP configuration is incorrect.

  4. If the external CA requires certificates to be manually approved, complete the manual certificate approval immediately after running cert_manage external-ca --init.

    Note: If the certificate is not approved within around 90 seconds, the --init command fails.