PKI Default Settings Configuration in NSM Overview

You can configure default PKI settings for each security device to define how that device handles certificates. When configuring a VPN that includes the device, you can use these default settings.

In the device configuration tree, select VPN Settings > Defaults > PKI Settings to display the default PKI settings. First, configure the source interface for PKI traffic. The source interface is the interface on the device that sends the certificate request to the CA. The topic includes the following:

Configuring X509 Certificates

Configure the following X509 certificate settings:

Configuring Revocation

Revocation settings define how and when certificates are revoked. You might want to revoke a certificate that you suspect has been compromised or when a certificate holder leaves a company. You can revoke the certificate manually, or use certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) to automatically check for revoked certificates. Table 68 describes the revocation settings.

Table 68: Revocation Settings

Revocation Settings

Your Action

X.509 Certificate Path Validation Level

X509 contains a specification for a certificate that binds an entity's distinguished name to its public key through the use of a digital signature.

  • Full—Use full validation to validate the certificate path back to the root.
  • Partial—Use partial validation to validate the certificate path only part of the way to the root.

Revocation Check

Select or clear revocation checking for certificates:

  • Check for revocation—Select this option to enable revocation checking.
  • Do not check for revocation—Select this option to disable revocation checking.

Revocation Checking Method

Select the checking method to use if you enabled revocation checking. If you did not enable revocation checking, these fields are unavailable.

  • CRL—Enables you to keep a local copy of the revoked certificates on the managed device. This method enables you to check for revoked certificates quickly.
  • OSCP—Enables the device to access a remote OCSP server to check for revoked certificates. Because the OCSP server dynamically updated their list of revoked certificates, this method provides the most up-to-date information.

Best Effort

Select this option to check for revocation and accept the certificate if no revocation information is found.

CRL Settings

Configure the default setting for the certificate revocation list.

  • URL address—Provide the URL address of your internal LDAP server that provides the CRL.
  • LDAP server—Provide the IP address of the external LDAP server that manages the CRL.
  • Refresh Frequency—Select the frequency that the device contacts the CA to obtain a new CRL list: Daily, Weekly, or Monthly.


Enable to dynamically check for revoked certificates.

  • Certificate Verification—Select the CA certificate used to verify the signature on the OCSP response.
  • No revoke status check for CA delegated signing cert—Select this option if you do not want the original CA certificate to verify the validity of the CA delegated OCSP signing certificate. When enabled, the validity of the OCSP signing certificate is verified by original CA certificate.
  • URL of OCSP Responder—Provide the URL address of the OCSP server.

Configuring Simple Certificate Enrollment Protocol

Alternatively, you can use Simple Certificate Enrollment Protocol (SCEP) to get a local certificate automatically. To enable SCEP for a managed device, configure the default PKI settings for SCEP as described in Table 69.

Table 69: Simple Certificate Enrollment Protocol

PKI settings

Your Action


Enter the URL address of the certificate authority certificate generation information.


Enter the URL address of the registration authority certificate generation information that the security device contacts to request a CA certificate.


Enter the name of the certificate authority to confirm certificate ownership.


Enter the challenge word(s) sent to you by the CA that confirm the security device identity to the CA.

CA Certificate Authentication

Configure the default method for obtaining CA certificates:

  • Auto—Select this option for CA certificates retrieved through SCEP.
  • Manual—Select this option for CA certificates retrieved manually.

Polling Interval

NSM searches the list of the pending certificates based on this setting and records the time due for the first pending certificate. This process repeats 48 times; after that time, pending certificates can be polled only manually. When polling succeeds, NSM removes the pending certificate from the pending certificate list and schedules no new polling.

  • Poll—When enabled, you can configure the number of minutes between polls.
  • Do not poll—Use this option to disable automatic polling.

Related Documentation