Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add CA Certificate

You are here: Device Administration > Certificate Management > Certificates.

To add a CA certificate:

  1. Click Create available on the upper-right corner of the Certificates page.
  2. Click Certificate Authority and select CA Certificate.
    The Add CA Certificate page appears.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK to save the changes. If you want to discard your changes, click Cancel instead.
    If you click OK, a new CA certificate with the provided configuration is created.
Table 1: Fields on the Add CA Certificate Page

Field

Action

Name

Enter a CA certificate name.

Revocation check

Select an option from the list:

  • Disable—Disables verification of status of digital certificates.
  • OCSP—Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate.
  • CRL—A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis.

URL

For OCSP, enter HTTP addresses for OCSP responders.

For CRL, enter the name of the location from which to retrieve the CRL through HTTP or Lightweight Directory Access Protocol (LDAP).

On connection failure

Enable this option to skip the revocation check if the OCSP responder is not reachable.

Note:

This option is applicable only for OCSP.

Disable responder revocation check

Enable this option to disable revocation check for the CA certificate received in an OCSP response.

Note:

This option is applicable only for OCSP.

Accept unknown status

When set to enable, accepts the certificate with unknown status.

Note:

This option is applicable only for OCSP.

Nonce payload

Disable the option—Explicitly disable the sending of a nonce payload.

Enable the option—Enable the sending of a nonce payload. This is the default.

Note:

This option is applicable only for OCSP.

CRL refresh interval

Enter the time interval (in hours) between CRL updates.

Range: 0 through 8784 hours.

Note:

This option is applicable only for CRL.

Disable on download failure

Enable this option to override the default behavior and permit certificate verification even if the CRL fails to download.
Note:

This option is applicable only for CRL.

Load CA certificate

Select an option whether you want to load the CA certificate manually or automatically.

Upload CA certificate

Click Browse to upload the CA certificate that is stored.

Note:

This option is only available if you choose to load the CA certificate manually.

Enrollment URL

Enter the enrollment URL.

Note:

Enrollment URL is optional for manual upload and mandatory for automatic upload.

Advanced

Administrator email

Enter an administrator email address.

Routing instance

Select an option from the list of configured routing instances.

Source address

Enter a source IPv4 or IPv6 address to be used instead of the IP address of the egress interface for communications with external servers.

Proxy profile

Select an option from the list. Or to create a new proxy profile inline:

  1. Click Create.

    Create Proxy Profile page appears.

  2. Enter the following details:

    • Profile Name—Enter a unique proxy profile name.

    • Connection Type:

      • Server IP—Enter the IP address of the server.

      • Host Name—Enter the host name.

    • Port Number—Select the port number by using top or down arrow.

      Range: 0 through 65535

  3. Click OK.