Certificate Enrollment Object ACME Options

Secure Firewall Management Center Navigation Path

Objects > Object Management, then from the navigation pane choose PKI > Certificate Enrollment. Click Add Certificate Enrollment to open the Add Certificate Enrollment dialog box, and select the CA Information tab.

How ACME Certificates Work

  1. A Firewall Threat Defense device requests an ACME certificate for a specific domain or a list of domains through the source interface.

  2. The ACME server validates the domain ownership through port 80 of the Firewall Threat Defense device's authentication interface. For domain validation, the Firewall Threat Defense device uses an HTTP-based challenge mechanism (HTTP-01).

    Note

    Firewall Threat Defense briefly opens port 80 during the enrollment challenge-response process to provide only the ACME challenge data; the port closes as soon as the enrollment succeeds or fails.

  3. After domain validation, the ACME server issues an SSL or TLS certificate to the device.

    Note

    The stages are repeated for each FQDN in the certificate enrollment request.

Fields

Enrollment Type—Choose ACME.

Enrollment URL—Enter the URL of the ACME server.

The default URL is that of the Let’s Encrypt service: https://acme-v02.api.letsencrypt.org/directory.

In the Authentication Protocol field, HTTP-01 is the predefined protocol used to validate domain ownership.

Authentication Interface—Choose a security zone or an interface group that has the interface through which the ACME server communicates with the device to verify ownership of the domain. Click + to add a security zone or an interface group.

Source Interface—Choose an a security zone or an interface group that has the interface through which the device interacts with the ACME server to request and receive the enrolled ACME certificate. Click + to add a security zone or an interface group.

ACME CA Certificate—Choose a manually installed CA-only certificate that authenticates the ACME server.

Enable Auto Enrollment—Check this check box to enable automatic enrollment of the ACME certificates based on the configured lifetime.

Certificate Lifetime—Enter the percentage of the ACME certificate lifetime after which certificate re-enrollment is automatically initiated. The default value is 70. For example, if the certificate's lifetime is 100 days and this field is set to 80, auto-renewal will be triggered on day 81.

Regenerate Key—Check this check box to regenerate a new key for each ACME enrollment. If you uncheck this check box, the previous key is used for enrollment.