Adding Certificate Enrollment Objects

You can use these objects with FTD devices. You must have Admin or Network Admin privileges to do this task.

Procedure


Step 1

Open the Add Cert Enrollment dialog:

  • Directly from Object Management: In the Objects > Object Management screen, choose PKI > Cert Enrollment from the navigation pane, and press Add Cert Enrollment.
  • While configuring a managed device: In the Devices > Certificates screen, choose Add > Add New Certificate and click (+) for the Certificate Enrollment field.
Step 2

Enter the Name, and optionally, a Description of this enrollment object.

When enrollment is complete, this name is the name of the trustpoint on the managed devices with which it is associated.

Step 3

Open the CA Information tab and choose the Enrollment Type.

  • Self-Signed Certificate—The managed device, acting as a CA, generates its own self-signed root certificate. No other information is needed in this pane.

    Note

    When enrolling a self-signed certificate you must specify the Common Name (CN) in the certificate parameters.

  • SCEP—(Default) Simple Certificate Enrollment Protocol. Specify the SCEP information. See Certificate Enrollment Object SCEP Options.
  • Manual
    • CA Only—Select this checkbox to create only the CA certificate from the selected CA. An identity certificate will not be created for this certificate.

      If you do not select this checkbox, a CA certificate is not mandatory. You can generate the CSR without having a CA certificate and obtain the identity certificate.

    • CA Certificate—Paste CA certificate information in the box. You can also obtain a CA certificate by copying it from another device.

      You can leave this box empty if you choose to generate a CSR without the CA certificate.

  • PKCS12 File—Import a PKCS12 file on a FTD managed device that supports VPN connectivity. A PKCS#12, or PFX, file holds a server certificate, intermediate certificates, and a private key in one encrypted file. Enter the Passphrase value for decryption.
  • Skip Check for CA flag in basic constraints of the CA Certificate—Select this check box if you want to skip checking the basic constraints extension and the CA flag in a trustpoint certificate.
Step 4

(Optional) Open the Certificate Parameters tab and specify the certificate contents. See Certificate Enrollment Object Certificate Parameters.

This information is placed in the certificate and is readable by any party who receives the certificate from the router.

Step 5

(Optional) Open the Key tab and specify the Key information. See Certificate Enrollment Object Key Options.

Step 6

(Optional) Click the Revocation tab, and specify the revocation options: See Certificate Enrollment Object Revocation Options.

Step 7

Allow Overrides of this object if desired. See Object Overrides for a full description of object overrides.


What to do next

Associate and install the enrollment object on a device to create a trustpoint on that device.