Internal identity certificates are certificates for specific systems or hosts. You can generate these yourself using the OpenSSL toolkit or get them from a Certificate Authority. You can also generate a self-signed certificate.
Internal Certificate Authority (CA) certificates (Internal CA certificates) are certificates that the system can use to sign other certificates. These certificates differ from internal identity certificates with respect to the basic constraints extension and the CA flag, which are enabled for CA certificates but disabled for identity certificates. You can generate these yourself using the OpenSSL toolkit or get them from a Certificate Authority. You can also generate a self-signed internal CA certificate. If you configure self-signed internal CA certificates, the CA runs on the device itself.
You can also create these certificates using OpenSSL, or obtain them from a trusted CA, and upload them. For more information, see Uploading Internal and Internal CA Certificates.
For information on the features that use these certificates, see Certificate Type Used by Feature.
Note: New self-signed certificates are generated with a 5-year validity term. Be sure to replace certificates before they expire.
Warning: Upgrading devices that have self-signed certificates may experience issues; see New Certificate Detected for more information.
This procedure generates a self-signed certificate by entering the appropriate certificate field values in a wizard. If you want to create an internal or internal CA certificate by uploading a certificate file, see Uploading Internal and Internal CA Certificates.
To generate a self-signed certificate, follow this procedure:
- Do one of the following:
- Create the certificate object in the Objects page:
- In the navigation bar, select Objects.
- Click the plus button and select FTD > Certificate.
- Click Create New Object when adding a new certificate object to a policy.
- Enter a Name for the certificate. The name is used in the configuration as an object name only, it does not become part of the certificate itself.
- In step 1, select Internal Certificate or Internal CA.
- In step 2, select Self-Signed to create the self-signed certificate in this step.
- Configure at least one of the following for the certificate subject and issuer information.
- Country (C)— Select the country code from the drop-down list.
- State or Province (ST)—The state or province to include in the certificate.
- Locality or City (L)—The locality to include in the certificate, such as the name of the city.
- Organization (O)—The organization or company name to include in the certificate.
- Organizational Unit (Department) (OU)—The name of the organization unit (for example, a department name) to include in the certificate.
- Common Name (CN)—The X.500 common name to include in the certificate. This could be the name of the device, web site, or another text string. This element is usually required for successful connections. For example, you must include a CN in the internal certificate used for remote access VPN.
- Click Add.