How to Enroll Endpoints with your own Certificate Authority

This article applies to NetFoundry networks version 7 or higher. Refer to Finding Your Network Version for detailed information on determining your Network Version.

This is helpful for creating and enrolling endpoints in bulk. You may import and verify one or more of your own CA certificates for which you are able to issue user certificates. 


There are two enrollment methods. You must select either or both. The main difference is whether or not the endpoint is created at the time of enrollment.


With this option the endpoint is created and enrolled at the same time. The first time a certificate that was issued by this CA is presented will immediately create an enrolled endpoint. There's no need to create an endpoint in advance when using this method. 


This option makes it possible to create endpoints in advance. The first time a certificate that was issued by this CA is presented the one-time token for an existing endpoint must also be presented. The existing endpoint is then enrolled.


Both of these options may be enabled in which case it's optional to enroll with the token.

  • If the token is not presented during enrollment then an enrolled endpoint is immediately created the first time a certificate is presented that was issued by this CA.
  • If the token is presented during enrollment then the existing endpoint is enrolled.


Allow enrolled endpoints to connect to services. Leaving this off allows for endpoints to enroll but not connect.


  1. You could leave this option disabled while enrollment occurs, and then at a later time enable this option to begin allowing those endpoints to connect. 
  2. If you experience a security incident affecting your CA you may pause connectivity for the associated endpoints.


After importing your CA certificate you must issue a special user certificate to prove you have the ability to issue a user certificate for each endpoint that will use this CA. The verification certificate must have the value of the verification token, an alphanumeric string, as the common name (CN) property of the certificate.


For example, if your imported CA verification string is "K3ScXYHMR", then your verification certificate might have a Subject like this:

❯ openssl x509 -noout -subject < ~/pki/intermediate/certs/K3ScXYHMR.cert
subject=C = US, L = Charlotte, O = Cold River, OU = us-west, CN = K3ScXYHMR


Create Endpoints for this CA

After verifying your CA you may begin pre-creating endpoints for this CA. If you are using the AUTO ENROLLMENT method then the endpoints are automatically created and enrolled when they first present their certificate. When you create an endpoint you must select the appropriate CA for which enrollment is permitted. The attributes that you assign to the created endpoints will be used instead of the attributes that are configured for the CA.



Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.