Prerequisites for Using ACME Certificates

General Prerequisites

Ensure that the Firewall Threat Defense device is Version 10.0 or later.
Configure DNS in the Firewall Threat Defense platform settings to resolve the domain name of the ACME server.
Ensure your domain maps to a public IP address. Configure the device interface with this IP address, and set it as the authentication interface in the ACME certificate enrollment.
Enroll an ACME CA certificate, a manually installed CA-only certificate that authenticates the ACME server, on the device.
- If you use Let’s Encrypt as the ACME server, you must get the Internet Security Research Group (ISRG) root certificate from https://letsencrypt.org/certificates/ and enroll it as a manual CA-only certificate on the device. For example, you can use the root certificate from https://letsencrypt.org/certs/isrgrootx1.pem.txt.
- If you configure object overrides for any device, ensure that you enroll an ACME CA certificate on that device too.
Configure the same NTP server for the ACME server and the Firewall Threat Defense device.

Prerequisites for ACME Server

Ensure that you have access to an ACME server such as Let's Encrypt, or any other public or on-prem ACME server.
Ensure that the ACME server is reachable from the Firewall Threat Defense device.
Ensure that the ACME server can validate the domain name and the alternate FQDNs.
Ensure that the ACME server is reachable from the source interface of the device, if the authentication interface is different from the source interface.

Prerequisite for VPN Load Balancing

Ensure you include the director and member FQDNs in the Alternate FQDN field when you configure an ACME enrollment object for a VPN load balancing group. Note that ACME certificates do not support wildcard certificates.