Description:

This document describes how you can create digital certificates with LANCOM Smart Certificate for authenticating certificate-based VPN connections (site-to-site or client-to-site).


Requirements:

The LANCOM router must have up-to-date time settings. Information on configuring time synchronization can be found in this article


Procedure:

Configuring certificates for VPN connections:

By using LANCOM Smart Certificate, the digital certificates required for certificate-based VPN connections can be created directly on the LANCOM router.

The procedure is the same for all VPN scenarios. Each communication partner (router or VPN client) requires its own certificate.

1.1) In LANconfig, open the configuration dialog for the LANCOM router and switch to the menu item Certificates → Cert. authority (CA).

1.2) Set a check mark for the option Certificate authority (CA) active. The LANCOM router functions as the root certificate authority (root CA).

For this configuration example we leave all of the other parameters with their preset values.

Screenshot of a Certificate Authority configuration interface showing various settings including hierarchy, services, and communication parameters, with options for SCEP client, CRl, COM ports, and system notifications.

1.3) In WEBconfig, access the configuration for the LANCOM router and switch to the menu item Setup Wizards → Manage certificates.

Screenshot of a technical configuration interface displaying options for setting up internet connections, managing system information, configuring WLAN, and handling public spot accounts among other settings.

1.4) First, create the certificate for the LANCOM router. Click the button Create new certificate to do this.

Image of a complex technical user interface with multiple menus likely related to managing security certificates, including options for revocation and profile changes, with fields for serial numbers, status, and dates displayed.

1.5) Set the profile name to VPN.

1.6) In this example, the common name (CN) is set as the company's name. By way of example, the surname (SN) is set to the descriptor Router. The other fields can be filled in as you desire.

1.7) Be sure to password-protect the certificate container.

A digital certificate configuration interface displaying fields for VPN profile name, common name, surname, email, organization name, unit, locality, state, country, postal code, and certificate validity periods, with a note on mandatory fields and security measures for certificate access.

You can specify which profiles and fields should be displayed in this form in the LANCOM router's configuration with the menu items Certificates → Certificate handling → Profiles and Templates.

1.8) Click the button Enroll (PKCS#12) and give the certificate file a unique file name, if necessary.

1.9) The successful download of the certificate file is confirmed by a message.

Screenshot of a user interface indicating a successful download to the desktop, specifically in the 'Certrouterpdownloaded' folder.

1.10) If you switch back to Manage certificates, you should see the created certificate in the list.

Screenshot of a LANCOM Systems certificate management interface displaying options to manage, revoke, and validate certificates, with details such as Index, DN, Serial Number, Status, Creation Date, and Revocation Reason.

1.11) Create an additional certificate for the VPN Client by clicking on the button Create new certificate once again.

1.12) Set the profile name to VPN.

1.13) In this example, the common name (CN) is set as the company's name. By way of example, the surname (SN) is set to the description Client. The other fields can be filled in as you desire.

1.14) You need to password-protect the certificate container.

The image displays a technical configuration interface for VPN certificate enrollment, showing fields for various certificate attributes like common name, organization, email, and locality, and includes subsections for password protection of certificate files.

1.15) Click the button Enroll (PKCS#12) and give the certificate file a unique file name, if necessary.

Image displaying a cluttered technical user interface with mixed elements including folders, system settings, and network configurations.

1.16) The successful download of the certificate file is confirmed by a message.

Screenshot of a user interface showing a notification for a successful download on a desktop.

1.17) If you switch back to the Manage certificates, you should see the created certificate in the list.

Image displays a complex configuration menu for managing certificates in a system, showing options for creating, revoking, and validating certificates, along with detailed entries including status, serial number, and profile names related to VPN configurations.

1.18) The certificates should have been created successfully and can now be used for the authentication of certificate-based VPN connections.


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH