Modify on-boarding certificates

Certificates

A CA certificate is a root certificate, and an on-boarding certificate is a child certificate of the CA certificate. By default,SASE self-signs the issued certificates.

On the Basic Configuration page, select the Certificate Management tab. The page contains three configuration sections. In the On-boarding Certificate Configuration section, you can set the Certificate Installation Scope (the default is All Users) and toggle the Manual Certificate Installation switch. In the CA Certificate Configuration section, you can view the Certificate Organization Name and CA Certificate Validity Period, and click Preview to view certificate details. In the Global Configuration section, you can enable or disable the Certificate Revocation and Certificate Deletion functions. To modify the configuration in each section, click Edit on the right.

When Manual Certificate Installation is enabled, you must manually trigger the certificate installation in the SASE client, which allows you to enable the access control feature as needed.

In the On-boarding Certificate Configuration dialog box, set the Certificate Installation Scope (select Specified User Groups or All Users) and the On-boarding Certificate Validity Period, and enable or disable the Manual Certificate Installation switch as needed.

Modify the default SASE certificate

1. Go to the Basic configuration page. On the Certificate management tab, in the On-boarding certificate configuration section, click Edit.

2. In the On-boarding certificate configuration pane, modify the following settings.

   Setting	Description
   Certificate installation scope	Specifies the installation scope for the certificate. Valid values are specified user groups and all users.
   On-boarding certificate validity period	Sets the validity period of the on-boarding certificate. The on-boarding certificate validity period cannot exceed the CA certificate validity period.
   Manual Certificate Installation	When enabled, certificate installation must be manually triggered by the user in the SASE client. This lets users enable the on-boarding feature as needed.

3. If you need to change the organization name and validity period of the CA certificate, in the CA certificate configuration section, click Edit.

Global configuration

1. Go to the Basic configuration page. On the Certificate management tab, in the Global Settings area, click Edit.

2. In the Global Settings panel that appears, modify the following settings.

   Setting	Description
   Certificate Revocation	When enabled, the certificate is revoked if an account is disabled, a network access user is disabled, a device is locked, or a device is reported lost. A revoked certificate becomes unusable. Important This operation is reversible but consumes some server resources.
   Certificate Deletion	When enabled, if a user within the specified scope manually deregisters, the certificate installed on their device is automatically deleted. Important This operation is irreversible.
   Effective Scope	Select the scope for the certificate deletion setting. The following options are supported: Specific User Groups: Requires manual selection of the applicable user groups in the Select User Group field. All Users: Applies to all users.

3. Verify the configuration and click Confirm.

Next steps

• After the on-boarding certificate is modified, employees must click exit and log out in the SASE App and then log in again to install the modified on-boarding certificate.

• After the CA certificate is modified, employees must click exit and log out in the SASE App and then log in again to install the modified CA certificate and on-boarding certificate.

Related documents

• If you do not want to connect to the corporate network using password-based authentication, use the network access feature provided by SASE. For more information, see Connect to a corporate network.

• To configure network access policies for corporate employees, see Configure network access policies.