Westermo RedFox Series User Manual
Page 843
Westermo OS Management Guide
Version 4.17.0-0
for the SSL tunnel.
36.1.4.1
Authentication of SSL users
WeOS units primarily relies on certificates for authentication of Alice and Bob. In
addition, the server (Alice) can require Bob to provide username and password,
which she can match in a local database, or towards a backend authentication
(RADIUS) server (see Charlie in
and
Alice and Bob needs to upload their respective certificate and private key, as well
as the certificate a CA they trust. Typically, a simple PKI model is used where Alice
and Bob have their certificates issued by the same Certificate Authority (CA), see
CA
AB
Alice
Bob
Trusted CAs
Figure 36.3: Alice and Bob have certificates issued by the same CA (e.g., their
company CA). In this PKI model, Alice uploads the certificate of her CA, and trusts
any certificate issued by that CA.
To generate certificates and private keys for Alice and Bob, you can e.g., use the
Easy-RSA tools provided by OpenVPN
. The easiest way to upload certificates and
keys to your WeOS unit(s) is via the WeOS web, see
for more infor-
mation. An example of the alternative to use the CLI to download to download a
PKCS bundle (including Alice’ certificate, private key and CA certificate) is shown
below.
3
OpenVPN home page,
(March 2014).
➞ 2015 Westermo Teleindustri AB
843