Change the type of the internal certificate authority

When you install the SMC, an internal Elliptic Curve Digital Signature Algorithm (ECDSA) certificate authority or an internal RSA certificate authority is automatically created. You can optionally change the type of the internal certificate authority.

Before you begin

CAUTION:
Creating a new internal CA replaces the existing internal CA. We strongly recommend creating a Management Server backup before creating a new internal certificate authority.

When you create a new internal certificate authority, SMC components gradually start using the new internal CA to sign certificates. The state of the internal CA changes as the CA starts signing certificates.

Table 1. Internal certificate authority states
State Description
Created for Different Certificate Type The new internal CA has been created, but it is not yet ready to begin signing certificates.
Ready to Use for Different Certificate Type

The new internal CA is ready to begin signing certificates.

At first, only Management Server certificates are signed by the new internal CA. Certificates for other components are signed by whichever internal CA is currently used by the Management Server.
Active

Certificates for all components are signed by the new internal CA.

In an environment with multiple Management Servers, the new internal CA changes to the Active state when all Management Servers use the new internal CA.

When you start using a new internal CA, you must recertify all SMC servers. You might also need to make initial contact between the NGFW Engines and the Management Server.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Administration.
  2. Browse to Certificates > Internal Certificate Authorities.
  3. Right-click Internal Certificate Authorities, then select Create New Internal RSA Certificate Authority or Create New Internal ECDSA Certificate Authority.
    You are prompted to confirm that you want to create a new internal CA.
  4. Click Yes.
    The element creation process begins and a new tab opens to show the progress of the process. When the process is finished, the progress report shows the steps that you must take next. The status of the new internal CA is Created for Different Certificate Type.
  5. Restart the Log Server and the Web Portal Server.
  6. Start the Renew Internal Certificate Authorities Task.
    1. Select Configuration, then browse to Administration.
    2. Select Tasks > Definition.
    3. Right-click the Renew Internal Certificate Authorities Task, then select Start.
    When the task finishes running, the status of the new internal CA is Ready to Use for Different Certificate Type.
  7. Check the progress report of the task to see what further steps are required.
    1. Browse to History.
    2. Right-click the Renew Internal Certificate Authorities Task, then select Show Progress Report.
    The progress report shows which steps you must take next. Follow the instructions to resolve any issues. For example, you might be prompted to check the status or connectivity of some NGFW Engines.
  8. Recertify the Management Server.
  9. Start the Renew Internal Certificate Authorities Task again.
    When the Task is finished, the status of the new internal CA is Active.
  10. Recertify the Log Server and the Web Portal Server.

Next steps

If you created a new internal ECDSA CA and NGFW Engines cannot communicate with the Management Server, make sure that 256-bit encryption is enabled on the NGFW Engines. Then make initial contact between the NGFW Engines and the Management Server.