Add a Certificate Authority Profile

CA Profile Name

Enter a unique CA profile name.

CA Identity

Enter a CA identity name.

Revocation Check

Select an option from the list:

• Disable—Disables verification of status of digital certificates.

• OCSP—Online Certificate Status Protocol (OCSP) checks the revocation status of a certificate.

• CRL—A CRL is a time-stamped list identifying revoked certificates, which is signed by a CA and made available to the participating IPsec peers on a regular periodic basis.

URL

For OCSP, enter HTTP addresses for OCSP responders.

For CRL, enter the name of the location from which to retrieve the CRL through HTTP or Lightweight Directory Access Protocol (LDAP).

On Connection Failure

Enable this option to skip the revocation check if the OCSP responder is not reachable.

Disable Responder Revocation Check

Enable this option to disable revocation check for the CA certificate received in an OCSP response.

Accept Unknown Status

When set to enable, accepts the certificate with unknown status.

Nonce Payload

Disable the option—Explicitly disable the sending of a nonce payload.

Enable the option—Enable the sending of a nonce payload. This is the default.

CRL Refresh Interval

Enter the time interval (in hours) between CRL updates.

Range: 0 through 8784 hours.

Password

Enter the password for authentication with the server.

Disable on Download Failure

Enable this option to override the default behavior and permit certificate verification even if the CRL fails to download.

CA Certificate

Select an option whether you want to enroll the CA certificate manually or automatically.

File path for Certificate

Click Browse to navigate to the path from where you want to enroll the CA certificate.

URL

Enter the URL from where you want to enroll the CA certificate automatically.

Retry

Number of enrollment retry attempts before terminating. Range: 0 - 1080.

Retry-interval

Interval in seconds between the enrollment retries. Range: 0 - 3600.

Administrator

Enter an administrator e-mail address to which the certificate request is sent.

Source Address

Enter a source IPv4 or IPv6 address to be used instead of the IP address of the egress interface for communications with external servers.

Auto Re Enrollment

Enable this option to request that the issuing CA replace a certificate before its specified expiration date.

Re Generate Key Pair

Enable this option to automatically generate a new key pair when auto-reenrolling a device certificate.

Protocol

Select an option from the list: Simple Certificate Enrollment Protocol (SCEP) or Certificate Management Protocol version 2 (CMPv2).

Challenge Password

Enter the challenge password used by the certificate authority (CA) for certificate enrollment and revocation. This challenge password must be the same used when the certificate was originally configured.

Trigger Time

Enter the percentage for the reenroll trigger time before expiration.

Range: 1 through 99 percent

Digest

Select an option from the list: None, SHA-1 digest (default), or MD5-digest.

Encryption

Select an option from the list: None, DES, DES 3.

Routing Instance

Select an option from the list of configured routing instances.

Proxy Profile

Select an option from the list. Or

To create a new proxy profile inline:

1. Click Create.

   Create Proxy Profile page appears.

2. Enter the following details:

   • Profile Name—Enter a unique proxy profile name.

   • Connection Type:

     • Server IP—Enter the IP address of the server.

     • Host Name—Enter the host name.

   • Port Number—Select the port number by using top/down arrows.

     Range: 0 through 65535

3. Click OK.