Add externally generated certificate, intermediate and root CAs

You can upload an externally generated intermediate CA with its private key and its root CA.

Upload the certificate

1. Go to Certificates > Certificates and click Add.
2. Enter a name.
3. Select the Certificate file format, for example, PEM (.pem).
4. Click Browse and upload the Certificate.
5. Click Browse and upload the Private key.
6. Enter the passphrase or preshared key.
7. Click Save.

Upload the intermediate CA

1. Go to Certificates > Certificate authorities and click Add.

2. Upload the CA certificate or paste the certificate data.

   The firewall automatically detects the certificate format. It supports X.509 certificates in .pem, .der, and .cer formats.

3. (Optional) Change the name.

4. In this example, set the CA's purpose to Signing and validation.
5. Upload its private key.
6. Enter the private key's passphrase.
7. Click Save.

Upload the root CA

You must upload the root CA to validate the intermediate CA.

1. Go to Certificates > Certificate authorities and click Add.
2. Upload the CA certificate or paste the certificate data.

3. Set Use certificate for to Validation only.

   It validates the intermediate CA.

4. Click Save.

Check the certificate's trust

1. Go to Certificates > Certificates.
2. Under Trusted, see if the green check icon appears for the certificate you uploaded.

(Optional) Check the intermediate CA's private key

1. Go to Certificates > Certificate authorities.
2. Click the filter button next to Type.

3. In the pop-up window, select Uploaded and click Apply.

   

4. See if the private key icon appears next to the subordinate CA.

   It confirms that you've uploaded the signing CA's private key to the firewall.

   

More resources

• Add certificate
• Add a CA