PKI Default Settings Configuration in NSM Overview
You can configure default PKI settings for each security device to define how that device handles certificates. When configuring a VPN that includes the device, you can use these default settings.
In the device configuration tree, select VPN Settings > Defaults > PKI Settings to display the default PKI settings. First, configure the source interface for PKI traffic. The source interface is the interface on the device that sends the certificate request to the CA. The topic includes the following:
Configuring X509 Certificates
Configure the following X509 certificate settings:
Email Destination for the PKCS#10 File—Provide the e-mail address that receives the PKCS#10, which defines the syntax for certification requests.
Select raw common name—Select this option to use only one CN field in the certificate CN in SCEP certificate request. Some certificate authorities support a single CN filed in the certificate DN, when responding to a SCEP request. When enabled, the CN field contains the value of certificate name when you set DN.
Revocation settings define how and when certificates are revoked. You might want to revoke a certificate that you suspect has been compromised or when a certificate holder leaves a company. You can revoke the certificate manually, or use certificate revocation list (CRL) or Online Certificate Status Protocol (OCSP) to automatically check for revoked certificates. Table 1 describes the revocation settings.
Table 1: Revocation Settings
X.509 Certificate Path Validation Level
X509 contains a specification for a certificate that binds an entity's distinguished name to its public key through the use of a digital signature.
Select or clear revocation checking for certificates:
Revocation Checking Method
Select the checking method to use if you enabled revocation checking. If you did not enable revocation checking, these fields are unavailable.
Select this option to check for revocation and accept the certificate if no revocation information is found.
Configure the default setting for the certificate revocation list.
Enable to dynamically check for revoked certificates.
Configuring Simple Certificate Enrollment Protocol
Alternatively, you can use Simple Certificate Enrollment Protocol (SCEP) to get a local certificate automatically. To enable SCEP for a managed device, configure the default PKI settings for SCEP as described in Table 2.
Table 2: Simple Certificate Enrollment Protocol
Enter the URL address of the certificate authority certificate generation information.
Enter the URL address of the registration authority certificate generation information that the security device contacts to request a CA certificate.
Enter the name of the certificate authority to confirm certificate ownership.
Enter the challenge word(s) sent to you by the CA that confirm the security device identity to the CA.
CA Certificate Authentication
Configure the default method for obtaining CA certificates:
NSM searches the list of the pending certificates based on this setting and records the time due for the first pending certificate. This process repeats 48 times; after that time, pending certificates can be polled only manually. When polling succeeds, NSM removes the pending certificate from the pending certificate list and schedules no new polling.