Define trusted CAs for a gateway
Certificate Authorities (CA) verify certificate authenticity with their signatures. Gateways accept certificates only from the trusted CAs that you define.
Before you begin
You must have more than one VPN Certificate Authority element.
By default, the gateways trust all VPN CAs that are currently defined, but you can restrict the trusted CAs. You can also restrict trusted CAs in VPN Profiles.
For VPN Gateways that represent NGFW Engines, you define the trusted CAs in the Engine Editor.
For External VPN Gateways, you define the trusted CAs in the External VPN Gateway Properties dialog box. The system uses the trusted CA definition in the External VPN Gateway element to check that all gateways have the necessary certificates.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Access the
Trusted VPN Certificate Authorities settings in one of the following ways:
- Right-click a Firewall element, select Edit <element type>, then browse to .
- Right-click an External VPN Gateway element, select Properties, then click the Trusted CAs tab.
- Select Trust only selected, then select one or more CAs.
-
Save the changes in one of the following ways:
- In the Engine Editor, click
Save. - In the External VPN Gateway Properties dialog box, click OK.
- In the Engine Editor, click
Engine Editor > VPN > Certificates
Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.
| Option | Definition |
|---|---|
| Automated RSA Certificate Management | When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
|
| Trusted VPN Certificate Authorities | Restricts which certificate authorities the VPN gateway trusts.
|