Certificate Authentication Support in NSM Overview
Every security device supports the use of certificates to authenticate itself to outside parties. A digital certificate is an electronic means for verifying identity through a trusted third party, known as a certificate authority (CA). The CA is a trusted partner of the identity sending the digital certificate as well as the identity receiving it. To authenticate identity, the CA issues certificates, often with a set time limit. If you do not renew the certificate before the time limit is reached, the CA considers the certificate inactive. For example, a VPN member attempting to use an expired certificate is immediately detected (and rejected) by the CA.
You can use certificates to authenticate a VPN member (external device or security device), RAS users for a group IKE ID, or SSL management of a security device. You must obtain and install the following certificates on the managed device before you can use certificates to authenticate the device:
Local Certificate Validation of ScreenOS Devices Overview—A local certificate authenticates the identity of the device on which it is installed.
Certificate Authority Configuration in NSM Overview—A CA certificate authenticates a third party.
Configuring Certificate Revocation Lists (NSM Procedure) (Optional)—A certificate revocation list (CRL) ensures that expired certificates are not accepted.
A CRL is optional; you do not need to obtain and install a CRL on the security device to use certificates.
When you import a security device that already has a local certificate, CA, and CRL installed, these certificates and lists are automatically imported as part of the device configuration when you add that device to the NSM system. However, to reuse the CA and CRL in other security devices, you must load the CA and CRL file directly into the management system (you cannot reuse a local certificate on another device). For information, see Imported Certificates in NSM Overview.