Secure Firewall Threat Defense VPN Certificate Guidelines and Limitations

  • When a PKI enrollment object is associated with and then installed on a device, the certificate enrollment process starts immediately. The process is automatic for self-signed and SCEP enrollment types; it does not require any additional administrator's action. Manual certificate enrollment requires administrator's action.

  • When importing identity certificates into Firewall Threat Defense devices, the expiration date of the certificate must not exceed February 6, 2106. Ensure that all certificates used within devices have expiration dates earlier to February 6, 2106 to avoid issues during certificate import or renewal.

  • When the certificate enrollment is complete, a trustpoint exists on the device with the same name as the certificate enrollment object. Use this trustpoint in the configuration of your VPN Authentication Method.

  • Firewall Threat Defense devices support certificate enrollment using Microsoft Certificate Authority(CA) Service, and CA Services provided on Cisco Adaptive Security Appliances(ASA) and Cisco IOS Router.

  • Firewall Threat Defense devices cannot be configured as a certificate authority (CA).

Guidelines for Certificates and Multitenancy

  • Certificate enrollment can be done in a child or parent domain.

  • When enrollment is done from a parent domain, the certificate enrollment object also needs to be in the same domain. If the trustpoint on a device is overridden in the child domain, the overridden value will be deployed on the device.

  • When the certificate enrollment is done on a device in a leaf domain, the enrollment will be visible to the parent domain or another child domain. Also, adding additional certificates is possible.

  • When a leaf domain is deleted, certificate enrollments on the contained devices will be automatically removed.

  • Once a device has certificates enrolled in one domain, it will be allowed to be enrolled in any other domain. The certificates can be added in the other domain.

  • When you move a device from one domain to another, the certificates also get moved accordingly. You will receive an alert to delete the enrollments on these devices.