External certificate authorities
External certificate authorities can create certificates for VPN Gateways, External VPN Gateways, or VPN clients.
All IPsec certificates follow the ITU-T X.509 standard, which is also used in protocols such as TLS/SSL and HTTPS. External certificate authorities are especially useful when creating VPNs with partner organizations. Using external certificate authorities allows both organizations to use their preferred certificate authority. Different gateways in a VPN can have certificates signed by different certificate authorities.
To make NGFW Engines accept externally signed certificates of external components, you must import the public key of the external certificate authority into the SMC and add the CA to the list of trusted certificate authorities for the VPN Profile and for the NGFW Engine.
To create a certificate for NGFW Engines or the Forcepoint VPN Client, you must generate a certificate request and have it signed by the external certificate authority. The external certificate authority must support PKCS#10 certificate requests in PEM format and the signed certificates must also be in the PEM format. Furthermore, the certificate authority must be able to copy all attributes from the certificate request into the certificate. Especially, the X.509 extension Subject Alternative Name must be copied into the certificate because its value is used for identification.