VPN certificate issues
Your VPN Gateway always needs a certificate if VPN clients connect to it. In a site-to-site VPN, certificates are required when the VPN Profile used includes a certificate-based authentication method (ECDSA signatures, RSA signatures, or DSS (DSA) signatures).
Certificate acceptance
By default, the gateways only accept certificates signed by your Management Server. To accept certificates from other sources, you must define the certificate authority (CA) that signed the certificate as trusted. By default, all Gateways and all VPNs accept any valid CA that you have configured. You can configure the trusted CAs at the Gateway level and at the VPN level. A CA must be trusted on both levels to be accepted as a trusted CA for a VPN.
Creating, signing, renewing, transferring to gateways
Internally signed certificates are created, uploaded to the engines, and renewed automatically if automatic certificate management is enabled for the NGFW Engine.
You can manually create certificate requests, import certificates, and sign certificate requests in the
branch of the Configuration view. Any certificate request you create is, by default, also immediately signed using the internal CA and uploaded to the engine. To disable this action (for example, to sign the certificate using an external CA), you must deactivate this option in the new certificate request you create.To sign or upload a certificate, display the certificates, then select Tools and the corresponding option.