[Contents] [Prev] [Next] [Index] [Report an Error]

Generating a Local Certificate Request Manually

When you create a local certificate request, the device generates a CA certificate in PKCS-10 format from a key pair you previously generated using the same certificate ID.

Before You Begin
Generate a public and private key. See Generating a Public-Private Key Pair . Create a CA profile. See Configuring a Certificate Authority Profile. For background information, read Public Key Cryptography for Certificates Understanding Certificates Understanding Certificate Revocation Lists Using Digital Certificates

A subject name is associated with the local certificate request in the form of a common name (CN), organizational unit (OU), organization (O), locality (L), state (ST), country (C), and domain component (DC). Additionally, a subject alternative name is associated in the following form:

IP address
E-mail address

Fully qualified domain name (FQDN)

Note: Some CAs do not support an e-mail address as the domain name in a certificate. If you do not include an e-mail address in the local certificate request, you cannot use an e-mail address as the local IKE ID when configuring the device as a dynamic peer. Instead, you can use a fully qualified domain name (if it is in the local certificate), or you can leave the local ID field empty. If you do not specify a local ID for a dynamic peer, enter the hostname.domain-name of that peer on the device at the other end of the IPsec tunnel in the peer ID field.

This topic covers:

[Contents] [Prev] [Next] [Index] [Report an Error]