• Downloads
• Generating Certificate Requests to ScreenOS Devices (NSM Procedure)    

• Related Topics
• Loading Local Certificate into NSM Management System
• Installing Local Certificates Using SCEP in NSM
• Local Certificate Validation of ScreenOS Devices Overview

Generating Certificate Requests to ScreenOS Devices (NSM Procedure)

To send a certificate request prompt to the managed device, right-click the device and select Certificates > Generate Certificate Request. Enter the information as described in Table 1.

Table 1: Certificate Requests

Certificate Requests	Your Action
Name	Enter the name of the certificate requestor; typically, this is the person who administrators the security device.
Phone	Enter the telephone number of the certificate requestor.
Domain Component	Enter one or more domain components for the certificate requestor. Multiple entries must be separated by commas.
Unit/Department	Enter the unit or department of the certificate requestor.
Organization	Enter the organization of the certificate requestor.
County/Locality	Enter the county or locality of the certificate requestor.
State	Enter the state of the certificate requestor.
Country	Enter the country of the certificate requestor.
E-mail	Enter the e-mail address of the certificate requestor.
IP Address	Enter the IP address of the certificate requestor.
FQDN	Enter the fully qualified domain name of the security device.
Key Pair Type	Select RSA or DSA encryption.
Key Pair Length	Select the key length: 512, 786, 1024, or 2048. Ensure that your certificate authority can support the key length you select. Key lengths greater than 1024 might require generation times longer than 10 minutes.
Create Self-Signed Certificate (ScreenOS 5.1 and higher only)	Select this option to use the self-signed certificate on a device running ScreenOS 5.1 and later. Because the self-signed certificate is both the local certificate and the CA certificate, when this option is enabled the SCEP options are automatically disabled.
Automatically Enroll	Select this option to use SCEP. The device automatically requests, receives, and installs the local certificate and the CA certificate locally. To use SCEP, configure the following defaults: Certificate authority—Select a preconfigured CA or use the default CA settings for the device. E-mail request to—Provide the e-mail address that receives the PKCS#10 file, which defines the syntax for certification requests.

Click OK to send the request prompt to the device.

A Job Manager window appears to display job information and job progress. When the job is complete, the device public key appears in the Job window.

If you are obtaining the local certificate manually, you need the device public key to give to the CA. Copy and paste the information from the job window to a text file, or leave the job window open while you contact the CA.

If you are using SCEP to obtain a local certificate and a CA certificate, the device automatically sends its public key to the CA directly. When SCEP obtains both the local and CA certificate, the job completes. Close the Job Manager window, and then check the status of certificates: open the device configuration and select VPN Settings > Local Certificates. The certificate status appears as active, indicating that the certificate file has been successfully installed on both the physical device and the management system (you might need to use the Refresh directive to prompt the UI to update the certificate status).

If you are using the self-signed certificate on a device running ScreenOS 5.1 and later, the device automatically creates the certificate. A Job Manager window appears to display job information and job progress. When the job is complete, close the Job Manager window. To view the certificate, open the device configuration and select VPN Settings > Local Certificates. The certificate status appears as active, indicating that the self-signed certificate file has been successfully created and installed on both the physical device and the management system.