Site2Cloud Certificate-Based Authentication
If you want to use certificate-based authentication when establishing a Site2Cloud (external) connection between your Aviatrix gateways, or between an Aviatrix gateway and an external device, you use the CA Certificate tab to:
-
Add external device CA certificates
-
Download the Aviatrix gateway CA certificate so that you can provide it to the external device
The external device CA certificates must be available before you configure the Site2Cloud (external) connection.
On the external device side, you:
-
Obtain the IPsec VPN gateway device certificate
-
Export the Trusted Root CA certificate for use in the Site2Cloud configuration
-
Import the Aviatrix CA certificate (downloaded from the CA Certificate tab)
-
Use the information in the downloaded Site2Cloud configuration file to configure your tunnels/interfaces
On the Aviatrix side, you:
-
Configure the Site2Cloud connection
-
Select the remote certificate (generated from the external device) when prompted
-
Enter the remote identifier when prompted (depends on the external device; typically the Remote Identifier is the value of the common name or subject field in the VPN gateway device certificate)
-
-
Export the Aviatrix CA certificate
-
Download the Site2Cloud configuration you just created, to use when configuring tunnels/interfaces on your external device
Currently only the Palo Alto VM-Series firewall is supported as an external device.
For information on using certificate-based authentication between two Aviatrix gateways, see Aviatrix Gateway to Aviatrix Gateway.
Adding a CA Certificate
After you obtain the CA certificate from your external device, you must upload it on the CA Certificate tab before creating your Site2Cloud (external) connection.
-
In CoPilot, navigate to Networking > Connectivity > Certificates.
-
Click +Certificate.
-
In the Add Certificate dialog enter a unique name for the certificate.
-
Select the CA certificate to upload.
-
Click Save.
If you have received an email notification that a CA certificate is about to expire, or one of the certificates is showing as Invalid on the CA Certificate list, you use the above procedure to add the new certificate. You must then delete the expired certificate.
| You cannot switch to another certificate after the Site2Cloud connection has been created. |
Downloading the Aviatrix CA Certificate
You must download the Aviatrix CA certificate and upload it to your external device (or Aviatrix gateway) for the Site2Cloud connection to work.
-
In CoPilot, navigate to Networking > Connectivity > Certificates.
-
Click Download Aviatrix CA Certificate.
Deleting a Certificate
You must delete a certificate if it has expired. These certificates show as 'invalid' in the CA Certificate table.
| You should not delete the certificate while it is in use; this will bring down the Site2Cloud connection. |
Only admin users can delete certificates.
-
Navigate to Networking > Connectivity > Certificates.
-
Click the Delete
icon next to the certificate you want to delete. -
(optional) On the Networking > Connectivity > External Connections (S2C) tab:
-
Select the appropriate gateway and then select Connectivity Diagnostics from the vertical ellipsis
menu. -
In the Connectivity Diagnostics Tools dialog, select IPsec Service and then click Run. This removes the deleted certificate from the gateway cache.
-
Limitations
-
Only the Palo Alto VM-Series firewall is supported in this version of Site2Cloud cert-based authentication.
-
Only the Elliptic Curve DSA algorithm (256-bit) is supported in this version.
-
Only the PEM certificate file type is supported in this version.
-
You can only use one certificate group (all the certificates with the same tag name) per Site2Cloud connection.
-
You can only roll back the platform version if the previous version supports certificate-based authentication (not supported prior to 6.8).
-
The Aviatrix UserVPN® feature cannot be used in conjunction with Site2Cloud certificate-based authentication.