A trusted Certificate Authority (CA) certificate is used to sign other certificates. It is self-signed and called a root certificate. A certificate that is issued by another CA certificate is called a subordinate certificate.
For information on the features that use these certificates, see Certificate Types Used by Feature.
Obtain a trusted CA certificate from an external certificate authority, or create one using your own internal CA, for example, with OpenSSL tools. Then, use the following procedure to upload the certificate.
- Do one of the following:
- Create the certificate object in the Objects page:
- In the navigation bar, select Objects.
- Click the plus button and select FTD > Certificate.
- Click Create New Object when adding a new certificate object to a policy.
- Enter a Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.
- In step 1, select External CA Certificate and click Continue. The wizard advances to step 3.
- In step 3, in the Certificate Contents area, paste the certificate contents in the text box or upload the certificate file as explained in the wizard.
The certificate must follow these guidelines:
- The name of the server in the certificate must match the server Hostname / IP Address. For example, if you use 10.10.10.250 as the IP address but ad.example.com in the certificate, the connection fails.
- The certificate must be an X509 certificate in PEM or DER format.
- The certificate you paste must include the BEGIN CERTIFICATE and END CERTIFICATE lines. For example:
(...20 lines removed...)
- Click Add.