Distributing certificates

By default, the Proxy server creates self-signed certificates during installation to secure the connection between devices and the Proxy server. In order for devices to contact the Proxy server, you must install the client certificate and the server's public certificate on each device that uses the proxy server.

After you install the Proxy server, you can download the certificates from the Device information page. You do not need to purchase certificates to use the Proxy server. If the certificates that are initially generated become compromised, you can generate new certificates using the built-in utility. For more information, see Generating new certificates.

If the address of the Proxy server changes, you must regenerate the certificates so the certificates match the IP address of the device. For information on regenerating the certificates, see Generating new certificates.

There are two certificates that need to be distributed to the devices running the Velocity Client: 

the Proxy server public certificate. The device must have this certificate to verify when it has connected to the correct Proxy server. This provides protection against man-in-the-middle attacks. This certificate is named Neurons Proxy CA by default and has a .cer extension.

The Proxy client certificate. The device uses this certificate to prove it is allowed to access the Proxy server. This certificate contains privileged data, and you should be careful to keep it private and secure. If this certificate is compromised, you may need to regenerate all the certificates for the server and redistribute them in order to keep your network secure. This certificate is named Neurons Proxy Client by default and has a .pfx extension and a password associated with it. You create the password when you download it from the Proxy server.

These certificates can be distributed to the Windows or Android devices manually or through an MDM.

Distributing certificates to Windows devices

On a Windows device, the signing public certificate file should be installed in the Local Machine > Trusted Root Certificate Authorities store. The client certificate should be installed in the Current User > Personal store.

The instructions below are for installing the certificates manually. If you have a tool to manage certificates, download the certificates from the Proxy server UI and then follow the instructions for that tool to ensure the certificates are distributed to the correct places.

1.In the Proxy server UI, navigate to the Device information page and find the Certificates area.

2.Click the Download certificate button for both the signing public certificate and the client certificate. When you download the client certificate, it prompts you to create a password associated with the certificate. If you forget the password, you can download the client certificate again and associate a new password with it.

3.Copy both certificates to the device where you want to install them.

1.Double-click on the signing public certificate file (Neurons Proxy CA.cer) to open the certificate properties.

2.On the General tab of the certificate properties, click Install certificate. The Certificate Install Wizard appears.

3.Select the Local machine option and click Next.

4.Select the Place all certificates in the following store option and click Browse.

5.Select Trusted Root Certificate Authorities from the list and click OK.

6.Click Next.

7.Confirm the information is correct and click Finish to close the wizard and install the certificate.

1.Double-click on the client certificate file (Neurons Proxy Client.pfx) to open the certificate properties.

2.On the General tab of the certificate properties, click Install certificate. The Certificate Install Wizard appears.

3.Select the Current user option and click Next.

4.Provide the password you created when you downloaded the certificate at the password prompt and click Next.

5.Select the Place all certificates in the following store option and click Browse.

6.Select Personal from the list and click OK.

7.Click Next.

8.Confirm the information is correct and click Finish to close the wizard and install the certificate.

Distributing certificates to Android devices

The instructions below are for installing the certificates manually or using Ivanti Neurons for MDM. If you have a different tool to manage certificates, download the certificates from the Proxy server UI and then follow the instructions for that tool to ensure the certificates are distributed to the correct places.

Your MDM tool may use different terminology for the two types of certificates. Generally, what we refer to as the Proxy client certificate is called an identity certificate or client certificate. If the terminology for your MDM tool doesn't match, remember that the Proxy client certificate has a .pfx extension and must have a password associated with it.

On an Android device, after installation the certificates should show up in the Trusted credentials list in the Settings app. To confirm that the certificates are installed correctly, open the Settings app and navigate to Security & privacy > More security & privacy > Encryption & credentials . The Proxy server public certificate should be in the Trusted credentials > User list. The Proxy client certificate should be in the User credentials list.

1.In the Proxy server UI, navigate to the Device information page and find the Certificates area.

2.Click the Download certificate button for both the signing public certificate and the client certificate. When you download the client certificate, it prompts you to create a password associated with the certificate. If you forget the password, you can download the client certificate again and associate a new password with it.

3.Either copy the certificates to the device where you want to install them, or prepare to upload the certificates to your MDM tool.

Distributing certificates to Android devices manually

When you are installing certificates manually, some device manufacturers or OS versions may have the settings for certificates in different places in the UI. These instructions are for a stock Android 15 device.

1.From the Android device, open the Settings app.

2.Navigate to Security & privacy > More security & privacy > Encryption & credentials > Install a certificate.

3.Select CA certificate.

4.Select Install anyway.

5.If requested, provide authentication to prove you have the authority to install the certificate.

6.Select the certificate file from the location where you saved it.

1.From the Android device, open the Settings app.

2.Navigate to Security & privacy > More security & privacy > Encryption & credentials > Install a certificate.

3.Select VPN & app user certificate.

4.If requested, provide authentication to prove you have the authority to install the certificate.

5.Select the certificate file from the location where you saved it.

6.At the prompt, provide the password that you created when you downloaded the Proxy client certificate and select OK.

7.Provide a name for the certificate to make it easy to identify. We recommend "Neurons Proxy Client". The device user will need to choose the certificate the first time the Velocity Client contacts the Proxy server. Then select OK.

Distributing certificates to Android devices using Ivanti Neurons for MDM

When you distribute the Proxy server certificates using Ivanti Neurons for MDM, each certificate goes in its own configuration. The Proxy server public certificate is added to a Certificate configuration, and the Proxy client certificate is added to a Identity Certificate configuration.

1.From the Ivanti Neurons for MDM Admin portal, navigate to Configurations.

2.Select Add > Certificate.

3.Provide a name for the configuration.

4.Drag and drop or choose the Proxy server public certificate to add it to the configuration.

5.Select Next.

6.Select the devices that you want to distribute the configuration to and click Next.

The configuration is created and distributed to the selected devices.

1.From the Ivanti Neurons for MDM Admin portal, navigate to Configurations.

2.Select Add > Identity Certificate.

3.Provide a name for the configuration.

4.From the Certificate Distribution list, select Single file.

5.Drag and drop or choose the Proxy client certificate to add it to the configuration.

6.Provide the password that you created when you downloaded the Proxy client certificate.

7.Select Next.

8.Select the devices that you want to distribute the configuration to and click Next.

The configuration is created and distributed to the selected devices.