Create a certificate for the Log Server using external certificate management

Create a certificate request for the Log Server, export and sign the certificate request using the external CA, then import the signed certificate for the Log Server.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Start the Management Client.
  2. Accept the Management Server certificate. A certificate dialog box containing the Management Server certificate fingerprint is shown when the Management Client contacts a Management Server for the first time. Confirm that the fingerprint shown on the client matches the server certificate fingerprint.
    1. To view the Management Server certificate fingerprint, log on to the SMC Appliance command line with your administrator credentials, then run the following command: 
      smcasystem fingerprint
      Not on restricted shell: 
      sudo smca-system fingerprint
    2. If the fingerprint shown on the command line matches the one in the client dialog box, click Accept.
  3. Complete the certificate request details for the Log Server.
    1. In the Home view, browse to Others > Log Server.
    2. Right-click the Log Server, then select Properties.
    3. On the Certificate tab, enter the following information:
      • Common Name (CN) — Enter a common name that includes the name of the Log Server element.
      • Subject Alternative Name (DNS) — Enter the name of the Log Server as a fully qualified domain name (FQDN).
      Note: The value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
    4. Complete the other certificate request details according to your environment.
    5. Click OK to close the Log Server Properties dialog box.
  4. On the command line of the SMC Appliance, create a certificate request and a private key for the Log Server.
    1. Enter the sgCertifyLogSrv command on restricted shell: 
      sg sgCertifyLogSrv.sh
      Not on restricted shell:
      sudo <installation directory>/bin/sgCertifyLogSrv.sh
    2. Enter the credentials for an administrator account with unrestricted permissions (superuser).
      When the certification has finished, a certificate request is created for the Log Server.
  5. In the Management Client, export the certificate request.
    1. In the Home view, browse to Others > Log Server.
    2. Right-click the Log Server, then select Properties.
    3. On the Certificate tab, click Export Certificate Request, browse to the location where you want to save the certificate request, then click Save.
      Save the certificate request in a location that is accessible from your local workstation.
    4. Click OK to close the Export Certificate Request dialog box.
    5. Click OK to close the Log Server Properties dialog box.
  6. Sign the certificate request using the external CA, then copy the signed certificate to a location that is accessible from your local workstation.
  7. In the Management Client, import the signed certificate for the Log Server.
    1. In the Home view, browse to Others > Log Server.
    2. Right-click the Log Server, then select Properties.
    3. On the Certificate tab, click Import Signed Certificate.
    4. Browse to the signed certificate file, then click OK.
    5. Click OK to close the Log Server Properties dialog box.
  8. On the command line of the SMC Appliance, transfer the signed certificate to the Log Server.
    1. Enter the sgCertifyLogSrv command when using the restricted shell: 
      sg sgCertifyLogSrv.sh
      Not on restricted shell:
      sudo <installation directory>/bin/sgCertifyLogSrv.sh
    2. Enter the credentials for an administrator account with unrestricted permissions (superuser).
  9. Start the Log Server.
    Enter the following command on SMC Appliance:
    On restricted shell:
    daemon_ctl restart sgLogServer
    Not on restricted shell:
    sudo daemon_ctl restart sgLogServer
    On other platforms:
    sudo <installation directory>/bin/sgStartLogSrv.sh

Example

Table 1. Log Server Properties dialog box - Certificate tab
Option Definition
Current Certificate Shows information about the current certificate of the server.

Click Export Certificate to export the current certificate. Click Renew Certificate to renew the certificate.
Check Revocation Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Ignore Revocation Check Failures if There Are Connectivity Problems When selected, the server ignores all certificate check failures if connectivity problems are detected.
Organization (O)

(Optional)

 The name of your organization as it appears in the certificate.
Organization Unit (OU)

(Optional)

 The name of your department or division as it appears in the certificate.
State/Province (ST)

(Optional)

 The name of state or province as it appears in the certificate.
Locality (L)

(Optional)

 The name of the city as it appears in the certificate.
Common Name (CN) A common name that includes the name of the Log Server element.
Public Key Algorithm

(Not editable)

 The algorithm used for the public key.
Note: For NGFW Engine certificates, only the ECDSA public key algorithm is supported.
Key Length The length of the key in bits.

Enter 521 or 384.
Signature Algorithm

(Not editable)

 Shows the signature algorithm according to the key length.
Subject Alternative Name (DNS) Name of the Log Server as a fully qualified domain name (FQDN).
Certificate Request Shows the certificate request as text.
Export Certificate Request Exports the certificate request so that you can sign it using an external certificate authority.
Import Signed Certificate Imports a certificate that has been signed using an external certificate authority.

Next steps

Create NGFW Engine elements, then create certificates for the NGFW Engines.