Self-Signed Certificates in NSM Overview
For devices running ScreenOS 5.1 and later, a self-signed certificate is automatically created each time the device powers on; you can use this self-signed certificate to authenticate the device for SSL management. Because this self-signed certificate is not authenticated by an external, third-party certificate authority, you cannot use it to authenticate a VPN member in an IKE VPN. A device running ScreenOS 5.1 and later automatically creates the self-signed certificate upon reboot, so you do not need to configure a Generate Certificate Request to obtain it. However, if you delete the self-signed certificate for a device and do not want to reboot the device to obtain a new certificate, you can use the Generate Certificate Request procedure to prompt the device to regenerate the certificate. For steps to obtain a self-signed certificate, see Generating Certificate Requests to ScreenOS Devices (NSM Procedure).
A self-signed certificate that was automatically generated by the device at startup has a certificate status of system. If you use the Generate Certificate Request to obtain a new self-signed certificate, the self-signed certificate has a certificate status of active.