Using CertAccord Enterprise to Secure VPN/Network Authentication
One of the more popular uses of CertAccord Enterprise is to create X.509 Certificates providing ClientAuthentication for Virtual Private Network (VPN) authentication. Many enterprises are moving from username & password based VPN authentication to X.509 certificate authentication. One of the challenges in this transition is how to create and manage certificates on Linux and Macs from Microsoft ADCS PKI environments. Even more challenging is managing the lifecycle of these certificates and avoiding the trap of manually creation and renewal of certificates. CertAccord Enterprise can solve these problems with its ability to automatically create, renew, and centrally manage certificates on Linux, Mac, and Unix systems from Microsoft ADCS.
This process shows at a high level how to configure the VPN provisioning process to provide secure, automated certificate management. This process is not specific to any VPN server product. Consult your VPN server documentation to determine the specifics of how to implement.
- Endpoint (Linux device, etc) connects to VPN server using username/password. This can be specific to the user or a generic service account. The VPN server should be configured to restrict access from the endpoint only to the CertAccord Server and a website where the CertAccord Agent can be downloaded from.
- Endpoint downloads CertAccord Enterprise Agent, installs the agent, and registers the agent with the CertAccord Server.
- Endpoint creates a ClientAuthentication certificate from CertAccord Server. This may be done from the endpoint CLI using a command like “cmb cert create purpose=netauth” (this command requires the purpose “netauth” be preconfigured on the CertAccord Management Console).
- Endpoint disconnects from VPN
- Endpoint VPN client is configured to use ClientAuthentication certificate
- Endpoint connects to VPN using new ClientAuthentication certificate. VPN server grants full access
In this case we are assuming the following configuration:
- VPN server allows connections from a service account username/password and limits access to CertAccord Server and a download site for the agent
- VPN server accepts ClientAuthentication certificates for authentication and grants full network access upon successful authentication
- CertAccord Server is configured with a Certificate Purpose of “netauth” (example name only) which creates ClientAuthentication certificates
The process outlined here should allow for secure VPN access using automated certificate management of certificates on Linux and Mac endpoints. Using CertAccord Enterprise to implement this solution also provides automated renewal of endpoint certificates as well as centralized management of policies and settings.