Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Certificate Authority Configuration in NSM Overview


A CA certificate validates the identity of the third party CA that issued the local device certificate. To view the available CA certificates on a device, in the device navigation tree, select VPN Settings > CA Certificates.


If you are using a self-signed certificate, you do not need to contact a CA. The self-signed certificate on the device is issued and signed by the same entity (the device), so the issuer and the subject of the certificate are the same. However, because this self-signed certificate is not authenticated by an external, third-party certificate authority, you cannot use it to authenticate a VPN member in an IKE VPN.

To obtain a CA certificate file (.cer), contact the CA that issued the local certificate, then use this file to create a certificate authority object. You must install this CA certificate on the managed device using NSM before you can use certificate to validate that device in your VPN. Because the CA certificate is an object, however, you can use the same CA for multiple devices, as long as those devices use local certificates that were issued by that CA.

You can also use SCEP to configure the device to automatically obtain a CA certificate at the same time it receives the local certificate. For details on configuring a certificate authority object, see “ Configuring Certificate Authorities” in the Network and Security Manager Administration Guide.