Define trusted CAs for a gateway

Certificate Authorities (CA) verify certificate authenticity with their signatures. Gateways accept certificates only from the trusted CAs that you define.

Before you begin

You must have more than one VPN Certificate Authority element.

By default, the gateways trust all VPN CAs that are currently defined, but you can restrict the trusted CAs. You can also restrict trusted CAs in VPN Profiles.

For VPN Gateways that represent NGFW Engines, you define the trusted CAs in the Engine Editor.

For External VPN Gateways, you define the trusted CAs in the External VPN Gateway Properties dialog box. The system uses the trusted CA definition in the External VPN Gateway element to check that all gateways have the necessary certificates.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Access the Trusted VPN Certificate Authorities settings in one of the following ways:
    • Right-click a Firewall element, select Edit <element type>, then browse to VPN > Certificates.
    • Right-click an External VPN Gateway element, select Properties, then click the Trusted CAs tab.
  2. Select Trust only selected, then select one or more CAs.
  3. Save the changes in one of the following ways:
    • In the Engine Editor, click Save.
    • In the External VPN Gateway Properties dialog box, click OK.

Engine Editor > VPN > Certificates

Use this branch to change settings for automatic certificate management and trusted certificate authorities for VPNs.

Option Definition
Automated RSA Certificate Management When selected, RSA certificates are automatically created and renewed.
Note: Only the default certificate authority is used in automated RSA certificate management.
Trusted VPN Certificate Authorities Restricts which certificate authorities the VPN gateway trusts.
  • Trust all — The VPN gateway trusts all certificate authorities. This option is the default setting.
  • Trust only selected — The VPN gateway trusts only the certificate authorities that you select in the table.