Configure an External Certificate Authority in the UI

Note: You can also configure an external CA in the CLI.

Caution:
  • Configuration of an external certificate authority (CA) is permanent. When you configure an external CA:
    • You cannot revert back to using the internal CA.
    • Certificate management fully depends on the external CA.
    • System operations may be affected if the external CA becomes unavailable.

  • Certificates issued for use by Lighthouse should have Digital Signature key usage and MUST have no critical key usage extensions.

  • An external CA can only be configured on a Lighthouse that does not have any Opengear devices or secondary instances enrolled.

  1. In the Settings Pane, select > SECURITY > External Certificate Authority.

    Note: If the Lighthouse already has enrolled nodes or configured instances, when you click this, a dialog displays to inform you that you cannot configure an external CA on this Lighthouse.

    The EXTERNAL CERTIFICATE AUTHORITY page displays.
    If there is no external certificate authority (CA) configured, a warning displays at the top of the page.

  2. Click Configure External Certificate Authority.
    The CONFIGURE EXTERNAL CERTIFICATE AUTHORITY dialog displays.

  3. Enter a Name for the CA.

  4. Enter a Description for the CA.

  5. Enter a CA URL for Lighthouse to use to communicate with the certificate authority.

  6. Enter the SCEP Secret to use for all requests to the configured CA.

  7. Optional: Enter an OCSP Responder URL to use to check certificate status using OCSP.

  8. From the drop down, select the OCSP Algorithm to use to sign OCSP responses.

  9. Optional: Select whether Configure Certificate Subject Attributes is:

    • Disabled, continue to step 11.

    • Enabled, continue to step 10.

  10. Optional: If Configure Certificate Subject Attributes is Enabled, update the following as required:

    1. From the drop-down, select the Country for the CA.

    2. Enter the State/Province for the CA.

    3. Enter the Locality for the CA.

    4. Enter the Organization for the CA.

    5. Enter the Organizational Unit for the CA.

    6. Enter the Email Address for the CA.

  11. Click Save Configuration.
    The CONFIRM EXTERNAL CERTIFICATE AUTHORITY CONFIGURATION dialog displays.

  12. Type yes to confirm.

  13. Click Confirm.
    The dialog closes and the EXTERNAL CERTIFICATE AUTHORITY page displays.

  14. Click Initialize External Certificate Authority.

    Note: If any new nodes are enrolled between configuration and initialization, a warning displays and the initialize button is disabled. It is recommended to unenroll the nodes.

    The INITIALIZE EXTERNAL CERTIFICATE AUTHORITY dialog displays.

  15. When complete, click Done to finish or View Logs to view the external CA logs.