Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

for the SSL tunnel.

36.1.4.1

Authentication of SSL users

WeOS units primarily relies on certificates for authentication of Alice and Bob. In
addition, the server (Alice) can require Bob to provide username and password,
which she can match in a local database, or towards a backend authentication
(RADIUS) server (see Charlie in

figs. 36.1

and

36.2

).

Alice and Bob needs to upload their respective certificate and private key, as well
as the certificate a CA they trust. Typically, a simple PKI model is used where Alice
and Bob have their certificates issued by the same Certificate Authority (CA), see

fig. 36.3

.

CA

AB

Alice

Bob

Trusted CAs

Figure 36.3: Alice and Bob have certificates issued by the same CA (e.g., their
company CA). In this PKI model, Alice uploads the certificate of her CA, and trusts
any certificate issued by that CA.

To generate certificates and private keys for Alice and Bob, you can e.g., use the
Easy-RSA tools provided by OpenVPN

3

. The easiest way to upload certificates and

keys to your WeOS unit(s) is via the WeOS web, see

chapter 7.2.6

for more infor-

mation. An example of the alternative to use the CLI to download to download a
PKCS bundle (including Alice’ certificate, private key and CA certificate) is shown
below.

3

OpenVPN home page,

http://openvpn.net

(March 2014).

➞ 2015 Westermo Teleindustri AB

843