Description:

This document describes how you can create a self-signed certificate, which is required for operating certificate-based VPN connections with the LANCOM Common Criteria line of products.


Requirements:
  • Current XCA software (Download)
  • Current version of OpenSSL for Windows (Download)
  • LANCOM router from the Common Criteria product line
    • 1781A CC
    • 1781-4G CC
    • 1781A-3G CC
    • 1781A-4G CC
    • 1781EF CC
    • 7100+ CC
    • 9100+ CC


Procedure:

1) Create the certificate database:

1.1) Launch XCA and click on File -> New DataBase.



1.2) Set the path to the folder where you wish to store the database file and specify a database name. Then click on Save.



1.3) In the subsequent dialog window, specify a password for the database and then click OK.




2) Create a self-signed certificate:

2.1) Switch to the Certificate tab and click on the New certificate button.




2.2) In this example, a self-signed certificate with the serial number 1 is created. Select SHA1 as the signature algorithm.



2.3) Switch to the Subject tab, and create a private key for the certificate by clicking on the Generate a new key button.



2.4) Enter a name for the private key (e.g., LANCOM_CC). Then specify the keytype and the keysize. This example uses RSA encryption with a key size of 2048 bits. Finally, click on Create.



2.5) A message is displayed to indicate the successful creation of the private key.



2.6) Enter appropriate names in the Internal name and organizationName fields.

2.7) Then click on the Add button and select the value commonName from the list displayed in the drop-down menu on the left. You must enter the name in the field on the right (here: LANCOM).

2.8) Click on the Add button again and select the organizationName from the list displayed on the drop-down menu on the left. You must re-enter the name in the field on the right (here: LANCOM).



2.9) Switch to the Extensions tab and select the End entity value from the Type field. Enable the Subject key identifier and Authority key identifier options in the Key identifier section.

2.10) You must define the period of validity for the certificate under Validity and Time range.



2.11) This completes the configuration. Click on the OK button to save the self-signed certificate.




3) Export the certificate:

3.1) Switch to the Certificates tab and highlight the client certificate created in Step 2. Then click on the Export button.



3.2 Export the certificate to a PKCS12 file:

Enter the Filename for the client certificate in the subsequent dialog window. You have to choose PKCS12 as the Export format. Then click on OK.


    Information:
    In addition, the file must be saved as a PEM file in order to create a PKCS12 file in the next step that contains the public key only. This file is intended for the remote VPN gateway, since it does not contain a private key.

3.3) Export the certificate to a PEM file

Enter the Filename for the client certificate in the subsequent dialog window. You have to select PEM as the export format. Then click on OK.




4) Create a PKCS12 file using a public key and without a private key, based on the stored PEM file


4.1) Start OpenSSL and enter the following command at the prompt:
    openssl pkcs12 -export -out <drive letter>:\<file name>.p12 -in <drive letter>:\<file name>.crt -nokeys

    Example:

    openssl pkcs12 -export -out C:\LANCOM.p12 -in C:\LANCOM.crt -nokeys


4.2) Once you enter the command, you have to assign a password for the PKCS12 file.


4.3) After you have assigned a password, the export of the public key to a PKCS12 file (without private key) is completed.

When you are finished, you should have 2 PKCS12 files. A PKCS12 file consisting of the complete certificate (public & private key => Created via the export function XCA) and another PKCS12 file (Public Key => Created with OpenSSL) for the opposite side, which can then check our certificate to an incoming VPN connection.
    Information to clarify certificates and their use for a VPN connection:
    • Private key = secret key (private)
    • Public key = public key for the opposite side