Generating Certificate Requests to ScreenOS Devices (NSM Procedure)

To send a certificate request prompt to the managed device, right-click the device and select Certificates > Generate Certificate Request. Enter the information as described in Table 67.

Table 67: Certificate Requests

Certificate Requests

Your Action

Name

Enter the name of the certificate requestor; typically, this is the person who administrators the security device.

Phone

Enter the telephone number of the certificate requestor.

Domain Component

Enter one or more domain components for the certificate requestor. Multiple entries must be separated by commas.

Unit/Department

Enter the unit or department of the certificate requestor.

Organization

Enter the organization of the certificate requestor.

County/Locality

Enter the county or locality of the certificate requestor.

State

Enter the state of the certificate requestor.

Country

Enter the country of the certificate requestor.

E-mail

Enter the e-mail address of the certificate requestor.

IP Address

Enter the IP address of the certificate requestor.

FQDN

Enter the fully qualified domain name of the security device.

Key Pair Type

Select RSA or DSA encryption.

Key Pair Length

Select the key length: 512, 786, 1024, or 2048. Ensure that your certificate authority can support the key length you select. Key lengths greater than 1024 might require generation times longer than 10 minutes.

Create Self-Signed Certificate (ScreenOS 5.1 and higher only)

Select this option to use the self-signed certificate on a device running ScreenOS 5.1 and later. Because the self-signed certificate is both the local certificate and the CA certificate, when this option is enabled the SCEP options are automatically disabled.

Automatically Enroll

Select this option to use SCEP. The device automatically requests, receives, and installs the local certificate and the CA certificate locally. To use SCEP, configure the following defaults:

  • Certificate authority—Select a preconfigured CA or use the default CA settings for the device.
  • E-mail request to—Provide the e-mail address that receives the PKCS#10 file, which defines the syntax for certification requests.

Click OK to send the request prompt to the device.

A Job Manager window appears to display job information and job progress. When the job is complete, the device public key appears in the Job window.

If you are obtaining the local certificate manually, you need the device public key to give to the CA. Copy and paste the information from the job window to a text file, or leave the job window open while you contact the CA.

If you are using SCEP to obtain a local certificate and a CA certificate, the device automatically sends its public key to the CA directly. When SCEP obtains both the local and CA certificate, the job completes. Close the Job Manager window, and then check the status of certificates: open the device configuration and select VPN Settings > Local Certificates. The certificate status appears as active, indicating that the certificate file has been successfully installed on both the physical device and the management system (you might need to use the Refresh directive to prompt the UI to update the certificate status).

If you are using the self-signed certificate on a device running ScreenOS 5.1 and later, the device automatically creates the certificate. A Job Manager window appears to display job information and job progress. When the job is complete, close the Job Manager window. To view the certificate, open the device configuration and select VPN Settings > Local Certificates. The certificate status appears as active, indicating that the self-signed certificate file has been successfully created and installed on both the physical device and the management system.

Related Documentation