Create certificates for Security Engines using external certificate management

After creating an Security Engine element, create a certificate request for each Security Engine node, export and sign the certificate request using the external CA, then import the signed certificate.

Before you begin

Create an Security Engine element. Follow the instructions in one of the following topics:
  • Configuring Single Engines
  • Configuring Engine Clusters
  • Configuring IPS engines
  • Configuring Layer 2 Engines
  • Master Security Engine and Virtual Security Engine configuration overview
    Note: Only Master Security Engines communicate with the Management Server. It is not possible to configure certificate settings for Virtual Security Engines.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the SMC Client, edit the certificate settings for each Security Engine node.
    1. Select Engine Configuration.
    2. Right-click an engine, then select Edit <element type>.
    3. Open the certificate settings in one of the following ways:
      • For single Security Engines, click Certificate Settings on the General tab of the Engine Editor.
      • For Security Engine clusters, browse to General > Clustering, right-click the Certificate cell for a node, then select Edit Certificate.
    4. In the certificate request details, enter the following information:
      • Common Name (CN) — Enter a common name that includes the name of the Security Engine element.

        Example: Helsinki Security Engine

      • Subject Alternative Name (DNS) — Enter the name of the Security Engine node as a fully qualified domain name (FQDN).

        Examples:

        Helsinki-Security Engine.example.com

        Helsinki-Security Engine-node1.example.com

      Note: The value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
    5. Complete the other certificate request details according to your environment.
    6. Click OK.
  2. Save the initial configuration for the Security Engine.
    Follow the instructions in Prepare for Security Engine Configuration Wizard configuration.
  3. On the command line of the Security Engine, make initial contact between the Security Engine and the Management Server.
    Follow the instructions in Contact the Management Server on the command line.
    A certificate request is created for the Security Engine and transferred to the Management Server.
  4. In the SMC Client, export the certificate request for the Security Engine.
    1. Select Engine Configuration.
    2. Right-click an Security Engine node, then select Certificate > Export Certificate.
    3. Browse to the location to save the certificate request and name it as you want, then click Export.
    4. Click OK to close the Certificate dialog box.
  5. Sign the certificate request using the external CA, then copy the signed certificate to a location that is accessible from your local workstation.
  6. In the SMC Client, import the signed certificate for the Security Engine.
    1. Select Engine Configuration.
    2. Right-click an Security Engine node, then select Certificate > Import Certificate.
    3. Browse to the signed certificate file, then click Import.
    4. Click OK to close the Import Certificate dialog box.
    Note: Reboot the Engine, once the Engine gets the certificate.

Result

The Security Engine node receives the signed certificate from the Management Server.

Example

Table 1. Certificate Settings dialog box
Option Definition
Name The name of the element.
Organization (O)

(Optional)

 The name of your organization as it appears in the certificate.
Organization Unit (OU)

(Optional)

 The name of your department or division as it appears in the certificate.
State/Province (ST)

(Optional)

 The name of state or province as it appears in the certificate.
Locality (L)

(Optional)

 The name of the city as it appears in the certificate.
Common Name (CN) A common name that includes the name of the Security Engine element.
Public Key Algorithm

(Not editable)

 The algorithm used for the public key.
Note: For Security Engine certificates, only the ECDSA public key algorithm is supported.
Key Length The length of the key in bits.

Enter 521 or 384.
Signature Algorithm

(Not editable)

 Shows the signature algorithm according to the key length.
Subject Alternative Name (DNS) The name of the Security Engine node as a fully qualified domain name (FQDN).