Reset Search



KB22288 - How to install an SSL (device) certificate on a Pulse Connect Secure Access gateway

« Go Back


Last Modified Date9/25/2015 12:02 PM
This article provides information on how to install an SSL (device) certificate on a Pulse Connect Secure Access gateway.
Problem or Goal
How to set up  Pulse Connect Secure Access gateway with a certificate that can be used in a production environment.

The  Pulse Connect Secure Access gateway (PCS) has a self signed certificate, which is created during the serial console setup of the  Pulse Connect Secure Access gateway. This self signed certificate is capable of encrypting the traffic to and from the PCS; however, as this is self signed, it recommended to use this certificate a production environment.

A production certificate can be created in two ways: CSR (cannot be exported outside of PCSs) or by importing a certificate that contains both a public and private key.

  1. Creating a CSR
  • At the bottom of this page, click the New CSR button click and provide the requested information.

To create a CSR:
  1. Go to Configuration > Certificates > Device Certificates:

  • At the bottom of this page, click New CSR:

  • Type the details of the certificate that you wish to generate from the IVE and then click Create CSR:

    Note: Be sure to confirm the key length of the certificate before clicking generate; the 2048 bit option should be enabled, as indicated in the image below:

  • The PCS will now generate a request in a base64 format. The private key is stored inside the PCS. The certificate request contains a 1 way hash of the key, so the private key is never exposed to the outside world. We will find the generated CSR under Certificate Signing Requests and will be present as a Pending CSR.

  • Submit the CSR to your CA
  • Once the CA signs the CSR and sends the certificate, save it locally to upload. The PCS can handle the PKS 7 (.p7b) and DER (.der) formats.

    The certificate can now be uploaded to the PCS by using the field that is located at the bottom of the pending CSR:

    Note: It is recommended to save a copy of the system.cfg file, as soon as you upload a certificate in this manner. To download system.cfg, go to Import/Export -> Import/Export Configuration and click Save Config As to save it.

Generating a certificate without a CSR:
  • Certificate File includes the private keys.
  • Certificate and the private key are separate files.

The other way to import certificates is to generate a certificate with the Public and Private Key from a CA. 

Uploading the certificate

On the PCS go to Configuration > Certificates > Device Certificates and click Import Certificate & Key.

If the Certificate File includes the private keys, perform the following procedure:
  1. Most CAs provide the private and public key in the same file, unless requested. Select the appropriate import option and provide the pass-code; if you have created the certificate with one.


    1. Browse and select the signed certificate with the.pfx file extension.
  2. Type the password for the .pfx file.
  • Click Import as to specify where the certificate will be imported.

If the Certificate and the private key are separate files, perform the following procedure:
  1. Download the private key from the Web/CA server, which generated the CSR (the private key will be in the .pem format and is password protected) and then import the private key with the signed certificate (provided by certificate authority; the extension will be in the .cer format)) to the PCS.

    1. From Certificate File, browse and select your signed certificate.
  2. From Private Key File, browse and select your private key.
  • In Password Key, type the password for the private key.

Importing the previous device certificate from the system configuration backup:

Importing it from Maintenance > Import/Export > Configuration (System Configuration):

Importing it from System > Configuration > Certificate > Device Certificate > Import Certificate and key:

The production certificate should now be installed.

Note: Make sure to bind the imported certificate to the relevant port, according to the configuration (Internal/External port), to avoid the certificate errors on the browser, when you type the Sign-in URL of the website.
You can remove the current self signed/expired certificate from the relevant port and then add the new certificate and click on "Save Changes".

To map the certificate to the ports, click the imported certificate and then the ports can be mapped. The following image illustrates the procedure:

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255