Local Certificate Validation of ScreenOS Devices Overview
A local certificate validates the identity of the security device. Each security device that performs authentication (in a VPN, for SSL management, for device administrators) must have a local certificate installed on the device. To view the available local certificates on a device, in the device navigation tree, select VPN Settings > Local Certificates.
To get a local certificate for a device, you must prompt the device to generate a certificate request (includes public/private key pair request) using the Generate Certificate Request directive. Depending on how you want to use the local certificate and the version of ScreenOS the device is running, you can configure a CA-signed local certificate or a self-signed local certificate as described in Table 1.
Table 1: Local Certificate Validation
Local Certificate Types
Obtain a local certificate signed by a CA
Use for devices running ScreenOS 5.0 or later, and for devices running ScreenOS 5.1 and later that need to use a local certificate for authentication in an IKE VPN. When the device receives the prompt for a certificate request, it processes the request and returns the encrypted public key for the device. Using this encrypted public key, you can contact an independent CA (or use your own internal CA, if available) to obtain a local device certificate file (a .cer file). You must install this local certificate file on the managed device using NSM before you can use certificates to validate that device. Because the local certificate is device-specific, you must use a unique local certificate for each device.
Use the self-signed certificate
Use for devices running ScreenOS 5.1 and later that do not need to use the certificate for authentication in an IKE VPN. When configuring the request, select Create Self-Signed Certificate. When the device receives the certificate request, it processes the request and automatically adds the certificate to the device. Because this certificate is both a local and CA certificate, you do not need to contact a CA.
For CA-signed local certificates, you can also use SCEP to configure the device to automatically obtain a local certificate (and a CA certificate) from the CA directly.