Certificate Deployment
You can deploy certificates obtained from a trusted third-party CA or an enterprise
CA or generate a self-signed root CA certificate on an NGFW.
Certificate deployment is the installation of certificates and configuration of settings
for use with applications or services. You deploy certificates after you have obtained
them.
Depending on how you obtain a certificate, the installation and configuration looks
different.
Obtain certificates from a trusted third-party CA—You can obtain
certificates from trusted third-party certificate authorities (CAs) through a
formal request process. This process includes submitting a certificate signing
request (CSR) with a server's public key, identifying information about your
organization, and the Common Name of the server or website.
The benefit of obtaining a certificate from a trusted third-party certificate
authority (CA) such as VeriSign or GoDaddy is that end clients will already
trust the certificate because common browsers include root CA certificates from
well-known CAs in their trusted root certificate stores. For applications
requiring end clients to establish secure connections with the firewall or
Panorama, purchase a certificate from a CA that end clients trust to avoid
predeploying root CA certificates to the end clients. Applications this applies
to are GlobalProtect™ portal or GlobalProtect Mobile Security Manager. However,
most third-party CAs can’t issue signing certificates, making this type of
certificate inappropriate for applications, such as SSL/TLS decryption and Large
Scale VPN, that require the firewall to issue certificates. See
Obtain a Certificate from an External CA.
Obtain certificates from an enterprise CA—If your organization maintains
its own public key infrastructure (PKI), you can import certificates and private
keys directly from your enterprise certificate authority (CA). The benefit is
that end clients probably already trust the enterprise CA.
Enterprise CA certificates offer the advantage of automatically issuing
certificates for applications such as SSL/TLS decryption or GlobalProtect Large
Scale VPN deployments, unlike most third-party commercial certificates. You can
either generate the needed certificates and import them onto the firewall, or
generate a certificate signing request (CSR) on the firewall and send it to the
enterprise CA for signing. A benefit of this method is that the private key
doesn't leave the firewall. See
Import a Certificate and Private Key.
If you have a Simple Certificate Enrollment Protocol (SCEP) server in your
enterprise PKI, you can automate the generation and distribution of unique
client certificates using SCM. See
Deploy Certificates Using
SCEP.
Generate self-signed certificates—A self-signed root CA certificate sits
at the top of a certificate chain hierarchy. Firewalls can use these
certificates to automatically issue subordinate certificates for various
purposes, including SSL/TLS decryption and GlobalProtect Large Scale VPN
satellites. To generate a certificate, first
create a self-signed root CA certificate, and then
generate a certificate.
When you use this method to generate certificates for an application that
requires an end client to trust the certificate, end users will see a
certificate error because the root CA certificate is not in their trusted
root certificate store. To prevent this, deploy the self-signed root CA
certificate to all end-user systems. You can deploy the certificates
manually or use a centralized deployment method such as an Active Directory
Group Policy Object (GPO).