Add a Certificate Authority Profile
You are here: Device Administration > Certificate Management > Trusted Certificate Authority.
To add a Certificate Authority (CA) profile:
- Click the add icon (+).
The Add CA Profile page appears.
- Complete the configuration according to the guidelines provided in Table 1.
- Click OK to save the changes. If you want
to discard your changes, click Cancel instead.
If you click OK, a new CA profile with the provided configuration is created.
Table 1: Fields on the Add CA Profile Page
Field | Action |
---|---|
Profile Details | |
CA Profile Name | Enter a unique CA profile name. |
CA Identity | Enter a CA identity name. |
Revocation Check | Select an option from the list:
|
URL | For OCSP, enter HTTP addresses for OCSP responders. For CRL, enter the name of the location from which to retrieve the CRL through HTTP or Lightweight Directory Access Protocol (LDAP). |
On Connection Failure | Enable this option to skip the revocation check if the OCSP responder is not reachable. Note: This option is applicable only for OCSP. |
Disable Responder Revocation Check | Enable this option to disable revocation check for the CA certificate received in an OCSP response. Note: This option is applicable only for OCSP. |
Accept Unknown Status | When set to enable, accepts the certificate with unknown status. Note: This option is applicable only for OCSP. |
Nonce Payload | Disable the option—Explicitly disable the sending of a nonce payload. Enable the option—Enable the sending of a nonce payload. This is the default. Note: This option is applicable only for OCSP. |
CRL Refresh Interval | Enter the time interval (in hours) between CRL updates. Range: 0 through 8784 hours. Note: This option is applicable only for CRL. |
Password | Enter the password for authentication with the server. |
Disable on Download Failure | Enable this option to override the default behavior and permit certificate verification even if the CRL fails to download. Note: This option is applicable only for CRL. |
Enrollment | |
CA Certificate | Select an option whether you want to enroll the CA certificate manually or automatically. |
File path for Certificate | Click Browse to navigate to the path from where you want to enroll the CA certificate. |
URL | Enter the URL from where you want to enroll the CA certificate automatically. |
Retry | Number of enrollment retry attempts before terminating. Range: 0 - 1080. |
Retry-interval | Interval in seconds between the enrollment retries. Range: 0 - 3600. |
Advanced | |
Administrator | Enter an administrator e-mail address to which the certificate request is sent. |
Source Address | Enter a source IPv4 or IPv6 address to be used instead of the IP address of the egress interface for communications with external servers. |
Auto Re Enrollment | Enable this option to request that the issuing CA replace a certificate before its specified expiration date. |
Re Generate Key Pair | Enable this option to automatically generate a new key pair when auto-reenrolling a device certificate. |
Protocol | Select an option from the list: Simple Certificate Enrollment Protocol (SCEP) or Certificate Management Protocol version 2 (CMPv2). |
Challenge Password | Enter the challenge password used by the certificate authority (CA) for certificate enrollment and revocation. This challenge password must be the same used when the certificate was originally configured. |
Trigger Time | Enter the percentage for the reenroll trigger time before expiration. Range: 1 through 99 percent |
Digest | Select an option from the list: None, SHA-1 digest (default), or MD5-digest. Note: This option is applicable only when you select SCEP protocol. |
Encryption | Select an option from the list: None, DES, DES 3. Note: This option is applicable only when you select SCEP protocol. |
Routing Instance | Select an option from the list of configured routing instances. |
Proxy Profile | Select an option from the list. Or To create a new proxy profile inline:
|