Create certificates for Security Engines using external certificate management

After creating an Security Engine element, create a certificate request for each Security Engine node, export and sign the certificate request using the external CA, then import the signed certificate.

Before you begin

Create an Security Engine element. For details, refer to the Create an element for the Security Engine topic in the Forcepoint Network Security Platform Common Criteria Evaluated Configuration Guide.

For more details about the product and how to configure features, click Help or press F1.

Steps

In the SMC Client, edit the certificate settings for each Security Engine node.
1. Select Engine Configuration.
2. Right-click an engine, then select Edit <element type>.
3. Open the certificate settings in one of the following ways:
  - For single Security Engines, click Certificate Settings on the General tab of the Engine Editor.
  - For Security Engine clusters, browse to General > Clustering, right-click the Certificate cell for a node, then select Edit Certificate.
4. In the Certificate Settings dialog box, do the following:
  - Select the Check Revocation checkbox.
  - Make sure that the Ignore Revocation Check Failures if There Are Connectivity Problems checkbox is not selected.
  - Common Name (CN) — Enter a common name that includes the name of the Security Engine element.
    Example: Helsinki Security Engine
  - Subject Alternative Name (DNS) — Enter the name of the Security Engine node as a fully qualified domain name (FQDN).
    Examples:
    
    helsinki-security-engine.example.com
    
    helsinki-security-engine-node1.example.com
    
    Note: The value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
  - Key Length — Select 384.
    Note: Key-size parameters of 256 bits and 521 bits are also acceptable if the configuration is not intended to be compatible with Commercial Solutions for Classified configuration.
5. Complete the other certificate request details according to your environment.
6. Click OK.
Save the initial configuration for the Security Engine.
Follow the instructions in Prepare for Security Engine Configuration Wizard configuration.
On the command line of the Security Engine, make initial contact between the Security Engine and the Management Server.
Follow the instructions in Contact the Management Server on the command line.

A certificate request is created for the Security Engine and transferred to the Management Server.
In the SMC Client, export the certificate request for the Security Engine.
1. Select Engine Configuration.
2. Right-click an Security Engine node, then select Certificate > Export Certificate Request.
3. Browse to the location to save the certificate request and name it as you want, then click Export.
4. Click OK to close the Certificate dialog box.
Sign the certificate request using the external CA, then copy the signed certificate to a location that is accessible from your local workstation.
In the SMC Client, import the signed certificate for the Security Engine.
1. Select Engine Configuration.
2. Right-click an Security Engine node, then select Certificate > Import Signed Certificate.
3. Browse to the signed certificate file, then click Import.
4. Click OK to close the Import Certificate dialog box.
Note: Reboot the Engine, once the Engine gets the certificate.

Result

The Security Engine node receives the signed certificate from the Management Server.

Example

Table 1. Certificate Settings dialog box
Option	Definition
Name	The name of the element.
Organization (O) (Optional)	The name of your organization as it appears in the certificate.
Organization Unit (OU) (Optional)	The name of your department or division as it appears in the certificate.
State/Province (ST) (Optional)	The name of state or province as it appears in the certificate.
Locality (L) (Optional)	The name of the city as it appears in the certificate.
Common Name (CN)	A common name that includes the name of the Security Engine element.
Public Key Algorithm (Not editable)	The algorithm used for the public key. Note: For Security Engine certificates, only the ECDSA public key algorithm is supported.
Key Length	The length of the key in bits. Select `384`. Note: Key-size parameters of 256 bits and 521 bits are also acceptable if the configuration is not intended to be compatible with Commercial Solutions for Classified configuration.
Signature Algorithm (Not editable)	Shows the signature algorithm according to the key length.
Subject Alternative Name (DNS)	The name of the Security Engine node as a fully qualified domain name (FQDN).