Create certificates for NGFW Engines using external certificate management

After creating an NGFW Engine element, create a certificate request for each NGFW Engine node, export and sign the certificate request using the external CA, then import the signed certificate.

Before you begin

Create an NGFW Engine element. Follow the instructions in one of the following topics:

Configuring Single Firewalls
Configuring Firewall Clusters
Configuring IPS engines
Configuring Layer 2 Firewalls
Master NGFW Engine and Virtual NGFW Engine configuration overview
Note: Only Master NGFW Engines communicate with the Management Server. It is not possible to configure certificate settings for Virtual NGFW Engines.

For more details about the product and how to configure features, click Help or press F1.

Steps

In the Management Client, edit the certificate settings for each NGFW Engine node.
1. Select Configuration.
2. Right-click an engine, then select Edit <element type>.
3. Open the certificate settings in one of the following ways:
  - For single NGFW Engines, click Certificate Settings on the General tab of the Engine Editor.
  - For NGFW Engine clusters, browse to General > Clustering, right-click the Certificate cell for a node, then select Edit Certificate.
4. In the certificate request details, enter the following information:
  - Common Name (CN) — Enter a common name that includes the name of the NGFW Engine element.
    Example: Helsinki NGFW
  - Subject Alternative Name (DNS) — Enter the name of the NGFW Engine node as a fully qualified domain name (FQDN).
    Examples:
    
    Helsinki-NGFW.example.com
    
    Helsinki-NGFW-node1.example.com
  Note: The value of the Subject Alternative Name (DNS) must be unique within the SMC and the external CA.
5. Complete the other certificate request details according to your environment.
6. Click OK.
Save the initial configuration for the NGFW Engine.
Follow the instructions in Prepare for NGFW Configuration Wizard configuration.
On the command line of the NGFW Engine, make initial contact between the NGFW Engine and the Management Server.
Follow the instructions in Contact the Management Server on the command line.

A certificate request is created for the NGFW Engine and transferred to the Management Server.
In the Management Client, export the certificate request for the NGFW Engine.
1. Select Home.
2. Right-click an NGFW Engine node, then select Certificate > Export Certificate Request.
3. Browse to the location to save the certificate request and name it as you want, then click Export.
4. Click OK to close the Certificate dialog box.
Sign the certificate request using the external CA, then copy the signed certificate to a location that is accessible from your local workstation.
In the Management Client, import the signed certificate for the NGFW Engine.
1. Select Home.
2. Right-click an NGFW Engine node, then select Certificate > Import Certificate.
3. Browse to the signed certificate file, then click Import.
4. Click OK to close the Import Certificate dialog box.

Result

The NGFW Engine node receives the signed certificate from the Management Server.

Example

Table 1. Certificate Settings dialog box
Option	Definition
Name	The name of the element.
Organization (O) (Optional)	The name of your organization as it appears in the certificate.
Organization Unit (OU) (Optional)	The name of your department or division as it appears in the certificate.
State/Province (ST) (Optional)	The name of state or province as it appears in the certificate.
Locality (L) (Optional)	The name of the city as it appears in the certificate.
Common Name (CN)	A common name that includes the name of the NGFW Engine element.
Public Key Algorithm (Not editable)	The algorithm used for the public key. Note: For NGFW Engine certificates, only the ECDSA public key algorithm is supported.
Key Length	The length of the key in bits. Enter `521` or `384`.
Signature Algorithm (Not editable)	Shows the signature algorithm according to the key length.
Subject Alternative Name (DNS)	The name of the NGFW Engine node as a fully qualified domain name (FQDN).