About Internal and Internal CA Certificates
Internal identity certificates are certificates for specific systems or hosts. You can generate these yourself using the OpenSSL toolkit or get them from a Certificate Authority. You can also generate a self-signed certificate.
Internal Certificate Authority (CA) certificates (Internal CA certificates) are certificates that the system can use to sign other certificates. These certificates differ from internal identity certificates with respect to the basic constraints extension and the CA flag, which are enabled for CA certificates but disabled for identity certificates. You can generate these yourself using the OpenSSL toolkit or get them from a Certificate Authority. You can also generate a self-signed internal CA certificate. If you configure self-signed internal CA certificates, the CA runs on the device itself.
For information on the features that use these certificates, see Certificate Type Used by Feature.
This procedure creates an internal or internal CA certificate by uploading a certificate file or pasting existing certificate text into a text box. If you want to generate a self signed certificate, see Generating Self-Signed Internal and Internal CA Certificates.
To create an internal or internal CA certificate object, or when adding a new certificate object to a policy, follow this procedure:
- Do one of the following:
- Create the certificate object in the Objects page:
- In the navigation bar, select Objects.
- Click the plus button and select FTD > Certificate.
- Click Create New Object when adding a new certificate object to a policy.
- Enter a Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.
- In step 1, select Internal Certificate or Internal CA.
- In step 2, select Upload to upload the certificate file.
- In step 3, in the Server Certificate area, paste the certificate contents in the text box or upload the certificate file as explained in the wizard. If you paste the certificate into the text box, the certificate must include the BEGIN CERTIFICATE and END CERTIFICATE lines. For example:
(...5 lines removed...)
- In step 3, in the Certificate Key area, paste the key contents into the Certificate Key text box or upload the key file as explained in the wizard. If you paste the key into the text box, the key must include the BEGIN PRIVATE KEY or BEGIN RSA PRIVATE KEY and END PRIVATE KEY or END PRIVATE KEY lines.
Note: The key cannot be encrypted.
- Click Add.