Adding Certificate Enrollment Objects

You can use these objects with Firewall Threat Defense devices. You must have Admin or Network Admin privileges to do this task.

Procedure

Step 1

Open the Add Cert Enrollment dialog:

  • Directly from Object Management: In the Objects > Object Management screen, choose PKI > Cert Enrollment from the navigation pane, and press Add Cert Enrollment.
  • While configuring a managed device: In the Devices > Certificates screen, choose Add > Add New Certificate and click (add icon) for the Certificate Enrollment field.

Step 2

Enter the Name, and optionally, a Description of this enrollment object.

When enrollment is complete, this name is the name of the trustpoint on the managed devices with which it is associated.

Step 3

Click the CA Information tab.

Step 4

Choose the Enrollment Type.

  • Self-Signed Certificate—The managed device, acting as a CA, generates its own self-signed root certificate. No other information is needed in this pane.

    Note

    When enrolling a self-signed certificate you must specify the Common Name (CN) in the certificate parameters.

  • EST—Enrollment over Secure Transport protocol. Specify the EST information. See Certificate Enrollment Object EST Options.
  • SCEP—(Default) Simple Certificate Enrollment Protocol. Specify the SCEP information. See Certificate Enrollment Object SCEP Options.
  • Manual

    • CA Only—Check this check box to create only the CA certificate from the selected CA. An identity certificate will not be created for this certificate.

      If you do not select this check box, a CA certificate is not mandatory. You can generate the CSR without having a CA certificate and obtain the identity certificate.

    • CA Certificate—Paste the CA certificate in the PEM format in the box. You can also obtain a CA certificate by copying it from another device.

      You can leave this box empty if you choose to generate a CSR without the CA certificate.

  • PKCS12 File—Import a PKCS12 file on a Firewall Threat Defense managed device that supports VPN connectivity. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.

Step 5

Skip Check for CA flag in basic constraints of the CA Certificate—Check this check box if you want to skip checking the basic constraints extension and the CA flag in a trustpoint certificate.

Step 6

Validation Usage—Choose from the options to validate the certificate during a VPN connection:

  • IPsec Client—Validate an IPsec client certificate for a site-to-site VPN connection.

  • SSL Client—Validate an SSL client certificate during a remote access VPN connection attempt.

  • SSL Server—Select to validate an SSL server certificate, like as a Cisco Umbrella server certificate.

Step 7

(Optional) Click the Certificate Parameters tab and specify the certificate contents. See Certificate Enrollment Object Certificate Parameters.

This information is placed in the certificate and is readable by any party who receives the certificate from the router.

Step 8

(Optional) Click the Key tab and specify the Key information. See Certificate Enrollment Object Key Options.

Step 9

(Optional) Click the Revocation tab, and specify the revocation options: See Certificate Enrollment Object Revocation Options.

Step 10

Allow Overrides of this object if desired.

Whenever you modify the PKCS12 certificate enrollment object to permit overrides, you must update the Passphrase for the certificate on the device where it is overridden.

See Object Overrides for a full description of object overrides.

Step 11

Click Save.

What to do next

Associate and install the enrollment object on a device to create a trustpoint on that device.