Create and sign HTTPS certificates for browser-based user authentication

If HTTPS is enabled for Browser-Based User Authentication, you must have a signed HTTPS certificate.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Right-click an NGFW Engine, then select Edit <element type>.
  2. Browse to Add-Ons > User Authentication.
  3. If HTTPS is not selected, select HTTPS.
  4. Click HTTPS Settings.
  5. Enter the certificate information.
  6. Select how you want to sign the certificate:
    • Select With External Certificate Authority if you want to create a certificate request for an external certificate authority to sign.
    • Select Internally with to sign the certificate using the Internal CA for Gateways of the SMC.

      If more than one valid internal certificate authority is available, select which internal CA signs the certificate request.

  7. Click Generate Request.
  8. (External certificate authorities only) When the certificate request is displayed, click Export and sign the certificate with an external certificate authority.
  9. Click Import Certificate to import the signed certificate.
  10. Click OK to close the Certificate Request dialog box.
  11. Click OK to close the Browser-Based User Authentication dialog box.

Browser-Based User Authentication HTTPS Configuration dialog box

Use this dialog box to change the properties of an HTTPS certificate for browser-based user authentication.

Option Definition
Organization (O)

(Optional)

The name of your organization as it appears in the certificate.
Organization Unit (OU)

(Optional)

The name of your department or division as it appears in the certificate.
State/Province (ST)

(Optional)

The name of state or province as it appears in the certificate.
Locality (L)

(Optional)

The name of the city as it appears in the certificate.
Common Name (CN) The value for the Common Name field in the certificate request. For server certificates, the value is typically the fully qualified domain name (FQDN).
Key Length The length of the key in bits.
Sign
With External Certificate Authority Select this option if you want to create a certificate request that another certificate authority signs.
Internally with Select this option to sign the certificate using an internal CA. If more than one valid internal CA is available, select the internal CA that signs the certificate request. There can be multiple valid internal CAs in the following cases:
  • There is both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways.
  • The Internal CA for Gateways is in the process of being renewed and both the previous CA and the new CA are temporarily available.
Generate Request Generates the request. The certificate request is shown in the same dialog box.
Option Definition
Certificate Request — if signing with an external certificate authority
Subject Name The identifier of the certified entity.
Export Opens the Export Certificate Request dialog box.
Import Certificate Opens the Import Certificate dialog box.
Delete Deletes the certificate request.
Sign Internally Signs the certificate with the Internal CA. If more than one valid internal CA is available, opens the Sign Certificate Request dialog box.
Option Definition
Certificate Request — if signing with an internal certificate authority
Subject Name The identifier of the certified entity.
Public Key Algorithm The algorithm used for the public key.
Key Length The length of the key in bits.
Serial Number The sequence number of the certificate. The number is issued by the CA.
Signature Algorithm The signature algorithm that was used to sign the certificate.
Signed By The CA that signed the certificate.
SubjectAltName The subject alternative name fields of the certificate.
Valid From The start date of certificate validity.
Valid To The end date of certificate validity.
Fingerprint (SHA-1) The certificate fingerprint using the SHA-1 algorithm.
Fingerprint (SHA-256) The certificate fingerprint using the SHA-256 algorithm.
Fingerprint (SHA-512) The certificate fingerprint using the SHA-512 algorithm.
Export Opens the Export Certificate dialog box.
Delete Deletes the certificate request.

Export Certificate Request dialog box

Use this dialog box to export a certificate request to sign using an external certificate authority.

Option Definition
Certificate request field Shows the certificate request as text. You can copy and paste the certificate request into an external application to sign the certificate.
Export Exports the certificate request so that you can sign it using an external certificate authority. Opens the Export Certificate Request dialog box.

Sign Certificate Request dialog box

Use this dialog box to sign certificate requests for internal VPN gateways.

Option Definition
Sign With If more than one valid internal certificate authority is available, allows you to select which internal CA signs the certificate request.
  • <default internal CA> — The default internal CA element signs the certificate.
  • Select — Allows you to select a CA element. Opens the Select dialog.
Sign Signs the certificate using the selected CA, then closes the window.