KB29002 - Creating and Installing a New or Replacement Device Certificate

If your company does not own a digital certificate for its Web servers, or if you are running a PCS FIPS device, you can create a CSR (certificate signing request) through the admin console and then send the request to a CA for processing. When you create a CSR through the admin console, a private key is created locally that corresponds to the CSR. If you delete the CSR at any point, this file is deleted, too, prohibiting you from installing a signed certificate generated from the CSR.

You need to create a CSR (certificate signing request) and send it to a CA for processing to obtain a digital certificate for an PCS or MAG PCS device. 

 

Note: Do not send more than one CSR to a CA at one time. Doing so may result in duplicate charges. You may view details of any pending requests that you previously submitted by clicking the Certificate Signing Request Details link in the Device Certificates tab.

To create a certificate signing request:

1. In the admin console, choose System > Configuration > Certificates > Device Certificates.
2. Click New CSR.
   
   
3. Enter the required information and click Create CSR.
   
   
   
   Note: Generating a 2048-bit CSR on a FIPS hardware device (such as the PCS6500 FIPS appliance) may take up to 10 minutes.  Due to the nature of the FIPS hardware security module (HSM), access to the device is interrupted during the CSR generation.  Pulse Secure recommends that CSR generation be performed during a maintenance window.
    
4. Follow the instructions on-screen, which explain what information to send to the CA and how to send it.  Under Step 1, certificate signing request is provided text box below.
   
   
5. When you receive the signed certificate from the CA, import the certificate file using the instructions under Step 2.
   
   
   
   Note:  When submitting a CSR to a CA authority, you may be asked to specify either the type of Web server on which the certificate was created or the type of Web server the certificate is for.  Select Apache (if more than one option with apache is available, choose any).  Also, if prompted for the certificate format to download, select the standard format.

Importing a Signed Certificate Created From a CSR

To import a signed device certificate created from a CSR:

1. In the admin console, choose System > Configuration > Certificates > Device Certificates.
2. Under Certificate Signing Requests, click the Pending CSR link that corresponds to the signed certificate.
   
   
3. Under Import signed certificate, browse to the certificate file you received from the CA and then click Import to add the new certificate to the device certificate list.
   
   
4. From the device certificate list, click on the certificate you are replacing and remove the certificate from any ports that it is applied to and click Save Changes.
   
   In this example, the current device certificate is only bound to the internal port.
   
   
   
   
    
5. Click on the new certificate and reapply it to the relevant port.  
   
   
   
   
6. Once the certificate is no longer in use by any ports, it can be deleted from the device certificate list by placing a check in the box next to the certificate and clicking "Delete".