Automating CLM for Firewall

Onboarding a Firewall Device

Adding a Cisco Firewall Device

Prerequisites

  • General prerequisites:
    • Ensure communication between AppViewX and the firewall is enabled.
    • AppViewX needs an internet or proxy connection to communicate with the firewall via the REST API.
    • Valid firewall account details, including API tokens/keys and user credentials, are necessary.
    • The API must have elevated (admin) permissions to read and modify SSL certificates.
  • IP Address/FQDN: IP address or FQDN
  • User Privilege:
    • Username/Password
    • Credential List AppViewX/CyberArk
  • Enable Password: Required
  • License Check: Not required
  • Services and Port for AppViewX Communication: Port numbers 22 (SSH)
  • Internet Access/Proxy: Not required
  • Location from which the certificates are discovered if Certificate Managed: Certificates are fetched by issuing a direct command to the device through SSH.
    Note: For Visual Workflow action items, you will require credentials with write privilege.

Configuring a Cisco Firewall Device

Prerequisites

To add a Cisco device:

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. In the Firewall tab, click (Add) icon located upper right corner.
    The Add page appears.
  3. Select the Cisco vendor from the left side bar.
  4. Enter the field information in the General Information section.
    Table 1. Field and Description Table
    Field Description
    CI name Name of the CI.
    Platform Select the platform from the dropdown list. The available option is ASA.
    *Device name Unique custom identifier of your device.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Communication The communication mode that firewall devices can be added to AppViewX. The possible communication modes are:
    • IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected.
    • FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
    *IP address/FQDN Enter the IP address or FQDN based on the selected communication mode.
    Data center Select from an existing list or enter a new data center.
    Cert sync Provision to discover and manage the SSL certificates from the firewall devices. The possible Cert syncs are:
    • Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc.
    • Monitored - All SSL certificates will be discovered and will not have any CA-related communication.
    • Ignored - No SSL certificates will be discovered from the firewall device.
    Note: The certification sync is based on the license applied.
    *: Mandatory fields
  5. Enter the field information in the Credentials section:
    Table 2. Field and Description Table
    Field Description
    *Credential type Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the dropdown list:
    • Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected.

    • AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication.

      To create a credential list, see Creating Credential List in the Platform User Guide.
    *Username Username for the firewall device when you select the Manual Entry credential type.
    *Password Valid password for the firewall device when you select the Manual Entry credential type.
    Note: Use strong passwords for secure device communication. Your Passwords can be of any length with a combination of alpha-numerical, symbols, and special characters.
    Expert password Enter the privilege password.
    *: Mandatory fields
  6. Enter the field information in the Secondary device information section as follows:
    • Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
    • Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
    • Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
    Note:
    • By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
    • By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
  7. Click the Save button to add an Firewall device.
    Note:
    • To discard the changes, click the Cancel button.
    A pop-up message is displayed as Device added successfully.

Validating the Cisco Device Addition

After adding the device, you can validate the device by searching device in the device inventory.

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. Search the device name and validate whether the device is added successfully.

Adding a F5 Firewall Device

Configuring a F5 Firewall Device

Prerequisites:
  • For the Onboarding Group field to appear in the General Information section, you must first enable by going to CERT+ > Certificate Discovery > Discovery Configuration > Network Discovery and selecting the Manual option in Onboarding Group.

To add a F5 device:

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. In the Firewall tab, click (Add) icon located upper right corner.
    The Add page appears.
  3. Select the F5 vendor from the left side bar.
  4. Enter or select the field information in the General Information section.
    Table 3. Field and Description Table
    Field Description
    vCMP Host Select the check box to add host based device if required.
    vCMP Guest Select the check box to add device as guest if required..
    CI name Name of the CI.
    Platform Select the platform from the dropdown list. The available option is AFM.
    *Device name Unique custom identifier of your device.
    *Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    Data center The data center on which the device has been hosted. Select a Datacenter from the drop-down list or enter a data center name.
    Communication The communication mode that firewall devices can be added to AppViewX. The possible communication modes are:
    • IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected.
    • FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
    *IP address/FQDN Enter the IP address or FQDN based on the selected communication mode.
    Data center Select from an existing list or enter a new data center.
    Cert sync Provision to discover and manage the SSL certificates from the firewall devices. The possible Cert syncs are:
    • Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc.
    • Monitored - All SSL certificates will be discovered and will not have any CA-related communication.
    • Ignored - No SSL certificates will be discovered from the firewall device.
    Note: The certification sync is based on the license applied.
    *: Mandatory fields
  5. Enter or select the field information in the Credentials section:
    Table 4. Field and Description Table
    Field Description
    *Credential type Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the drop-down list:
    • Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected.
    • AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication.

      To create a credential list, see Creating Credential List in the Platform User Guide.
    *Username Username for the firewall device when you select the Manual Entry credential type.
    *Password Valid password for the firewall device when you select the Manual Entry credential type.
    Note: Use strong passwords for secure device communication. Your Passwords can be of any length with a combination of alpha-numerical, symbols, and special characters.
    Expert password Enter the privilege password.
    *: Mandatory fields
  6. Note: This step is applicable only if you have selected vCMP Host check box in the General Information section.
    Enter or select the field information in the Secondary device information section as follows:
    • Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
    • Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
    • Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
    Note:
    • By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
    • By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
  7. Click the Save button to add an Firewall device.
    Note:
    • To discard the changes, click the Cancel button.
    A pop-up message is displayed as Device added successfully.

Validating the F5 Device Addition

After adding the device, you can validate the device by searching device in the device inventory.

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. Search the device name and validate whether the device is added successfully.

Adding a Fortinet Firewall Device

Prerequisites

  • General prerequisites:
    • Ensure communication between AppViewX and the firewall is enabled.
    • Valid firewall account details, including API tokens/keys and user credentials, are necessary.
  • IP Address/FQDN: IP address or FQDN
  • User Privilege: Username/Password
  • Services and Port for AppViewX Communication: Port number 22 (SSH)
    Note: For Visual Workflow action items, you will require credentials with write privilege.

Configuring Fortinet Firewall Device

To add a Fortinet device:

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. In the Firewall tab, click (Add) icon located upper right corner.
    The Add page appears.
  3. Select the Fortinet vendor from the left side bar.
  4. Enter the field information in the General Information section.
    Table 5. Field and Description Table
    Field Description
    CI name Name of the CI.
    Platform Select from the following options:
    • Fortigate
    • FortiManager
    *Device name Unique custom identifier of your device.
    Data center The data center on which the device has been hosted. Select a Datacenter from the dropdown list or enter a data center name.
    Communication The communication mode that firewall devices can be added to AppViewX. The possible communication modes are:
    • IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected.
    • FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
    *IP address/FQDN Enter the IP address or FQDN based on the selected communication mode.
    Data center Select from an existing list or enter a new data center.
    Cert sync Provision to discover and manage the SSL certificates from the firewall devices. The possible Cert syncs are:
    • Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc.
    • Monitored - All SSL certificates will be discovered and will not have any CA-related communication.
    • Ignored - No SSL certificates will be discovered from the firewall device.
    Note: The certification sync is based on the license applied.
    *SSH Port By default, it is 22.
    *: Mandatory fields
  5. Enter the field information in the Credentials section:
    Table 6. Field and Description Table
    Field Description
    *Credential type Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the drop-down list:
    • Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected.
    • AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication.
    • If external credential types such as Thycotic, BeyondTrust, CloudAccount, or AppViewX Vault are configured, then this credential type will be listed in the device addition screen. Choose the appropriate Credential Type from the dropdown list.

      If authentication relies on an external credential, ensure that the hostname, FQDN, or IP address used for device communication is configured in the corresponding external credential vault.

      To create a credential list, see Creating Credential List in the Platform User Guide.
    *Username Username for the firewall device when you select the Manual Entry credential type.
    *Password Valid password for the firewall device when you select the Manual Entry credential type.
    Note: Use strong passwords for secure device communication. Your Passwords can be of any length with a combination of alpha-numerical, symbols, and special characters.
    Api token Enter the API token.
    *: Mandatory fields
  6. Enter the field information in the Certificate specific details section:
    Table 7. Field and Description Table
    Field Description
    Discover Private Keys Select the check box.
    Private Key Default Password Enter the default password.
  7. Enter the field information in the Secondary device information section as follows:
    • Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.
    • Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.
    • Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.
    Note:
    • By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
    • By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
  8. Click the Save button to add an Firewall device.
    Note:
    • To discard the changes, click the Cancel button.
    A pop-up message is displayed as Device added successfully.

Validating the Device

After adding the device, you can validate the device by searching device in the device inventory.

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. Search the device name and validate whether the device is added successfully.

CLI Commands

Minimum required permissions

  • Version of device: 6.x or above
  • License type: Cert+ Only 16
  • Device management

    Network > Configuration > Read Only (Communication and version check)

  • Certificate discovery
    • System > Configuration > Read/Write (System Local Certificates, System Setting)
    • VPN > Read (VPN Profiles)
    • Firewall > Others > Read (SSL/SSH Inspection Profile)
    • User & Device > Read (User Authentication Setting Profile)
  • Certificate Push and Bind
    • System > Configuration > Read/Write (Push to System Local Certificates, Bind System Server Certificate)
    • VPN > Read/Write (Bind to VPN Setting Profile, VPN Ipsec profile)
    • Firewall > Others > Read/Write (Bind to SSL/SSH Inspection Profile)
    • User & Device > Read/Write (Bind to User Authentication Setting Profile)
Operation Command Description
System Status get system status Displays system information such as firmware version, VDOM status, and system mode.
Configure VDOM config vdom Enters VDOM configuration mode to manage Virtual Domains.
Edit configurations edit ? Enters edit mode for a specific configuration object (e.g., VDOM, interface, etc.).
End end Ends the current configuration mode and applies changes.
Switch to global config global Switches to the global configuration context.
Configure System’s console config system console Used to configure console settings; often used with set output standard for terminal output.
Set output to standard set output standard Sets the console output format to standard (non-JSON or non-table).
Show full CA certs (VPN) show full-configuration vpn certificate ca Displays full configuration of CA certificates used in VPN.
Show full CA certs show full-configuration certificate ca Displays full configuration of CA certificates in the system.
Show full local certs (VPN) show full-configuration vpn certificate local Displays full configuration of local VPN certificates.
Show full local certs show full-configuration certificate local Displays full configuration of local certificates in the system.
Show IPSec VPN config show vpn ipsec {CONFIGURATIONS} Displays IPsec VPN configurations.
Show SSL VPN settings show vpn ssl settings Displays current SSL VPN settings.
Show user settings show user setting Displays user authentication settings.
Show SSL/SSH profiles show firewall ssl-ssh-profile Displays SSL/SSH inspection profiles used in firewall policies.
List CA cert names (VPN) show full-configuration vpn certificate ca ? Lists available CA certificate names in VPN configuration.
List CA cert names show full-configuration certificate ca ? Lists available CA certificate names in the system configuration.
List local cert names (VPN) show full-configuration vpn certificate local ? Lists available local certificate names for VPN.
List local cert names show full-configuration certificate local ? Lists available local certificate names configured on the device (non-VPN).
Set CA certificate set ca \"{CERT_CONETNT}\" Sets the CA certificate content during certificate configuration.
Set private key set private-key \"{PVT_KEY_CONETNT}\" Sets the private key content for a certificate.
Set certificate content set certificate \"{CERT_CONETNT}\" Sets the actual certificate content.
Set password set password Sets a password (often used when importing password-protected keys/certs).
Unset password unset password Removes a previously set password from the configuration.
Configure SSL VPN settings config vpn ssl settings Enters configuration mode for SSL VPN settings.
Unset SSL VPN cert unset servercert Removes the currently configured SSL VPN server certificate.
Set SSL VPN cert set servercert {CERT_NAME} Sets the server certificate for SSL VPN.
Configure SSL/SSH profile config firewall ssl-ssh-profile Enters configuration mode for SSL/SSH inspection profiles.
Unset SSL/SSH cert unset server-cert Removes the configured certificate from the SSL/SSH profile.
Set SSL/SSH cert set server-cert {CERT_NAME} Sets the server certificate for SSL/SSH inspection.
Configure global settings config system global Enters system-wide global configuration mode.
Set admin portal cert set admin-server-cert {CERT_NAME} Sets the certificate used for the FortiGate admin GUI (HTTPS portal).
Configure user settings config user setting Enters configuration mode for user authentication settings.
Set user auth cert set auth-cert {CERT_NAME} Sets the certificate used for user authentication.
Configure IPsec VPN config vpn ipsec Enters IPsec VPN configuration mode.
Append cert to IPsec VPN append certificate {CERT_NAME} Appends a certificate to the IPsec VPN configuration.
Generate certificate execute vpn certificate local generate Generate a local certificate on the device.

Pushing Server Certificates to the Device

The certificate can be pushed to the device in only PEM format.
Note: Starting from FortiOS version 5.4 and above, when pushing a certificate to FortiGate, if a certificate with the intended name is already present, a timestamp is automatically appended to the certificate name. This ensures the new certificate is successfully imported without conflict, while retaining the original.
Warning:

Fortigate does not allow importing a certificate that has already been imported earlier—even if you attempt to import it again under a different name or context. FortiOS maintains a checksum or fingerprint of certificates.

If a certificate with the same cryptographic material already exists in the system (for example, with the same subject, serial number, and public key), it will reject duplicates to prevent redundancy or configuration conflicts.

Profiles will be discovered irrespective of the cert sync option selected during device addition or during an on-demand discovery. The following profiles will be discovered currently in AppViewX:
  • Shared location: Denotes a push-only operation which pushes a certificate to the end device.

    Profile convention : {DeviceName}::System/Vdom name

  • SSL VPN Settings: SSL VPN allows remote users to securely connect to the corporate network using an encrypted SSL tunnel via a web portal or FortiClient. Apushed certificate can be associated to SSL-VPN setting if it is enabled.

    Profile convention : {DeviceName}::System/Vdom name::SSL VPN Setting:SSL VPN Setting

  • SSL/SSH Inspection Profile: SSL/SSH inspection profiles inspect encrypted traffic (HTTPS/SSH) for threats or policy enforcement. Apushed certificate can be associated to any inspection profile if it is configured with Protecting SSL Server option.

    Profile convention : {DeviceName}::System/Vdom name::SSL/SSH Inspection Profile:{Inspection profile name}

  • System Setting Https Server Certificate: This controls which certificate is used to secure access to the Fortigate administrative web interface. Apushed certificate can be associated to the System administration setting server certificate.

    Profile convention : {DeviceName}::System::System Setting Https Server Certificate

  • User Authentication settings: Defines how users authenticate to Fortigate (e.g., captive portal, VPN, web portal). Ensures only clients with valid certificates can authenticate, enhancing security. Apushed certificate can be associated to the User authentication setting server certificate.

    Profile convention : {DeviceName}::System:User Authentication settings:User Authentication settings

  • IPSec VPN Profile: IPSec VPN allows site-to-site or remote client VPN connections using the IPSec protocol suite. Apushed certificate can be associated to the IpSec tunnel configured in the device.

    Profile convention : {DeviceName}::System:IPSec VPN Profile:{TUNNEL_NAME}

Backing Up Certificates

Before a bind operation, a backup will be taken for the currently associated certificate so that a rollback can be performed once the new certificate is associated.

Binding Certificates

Certificates can be bound for profile connectors. These connectors include all the connectors other than the shared location connector.

The selected selected certificate will be pushed to the shared location first and then the certificate will be associated to the selected profile.

Rolling Back Certificates

In the event of a rollback, the system restores the previous state by unbinding the current certificate, pushing and binding the backed-up certificates to the selected profile.

CSR Generation

Note: Generation of CSR can be performed for a Fortigate device during certificate enrollment. The Partition name, CSR File Name, and Key File Name have to be provided.

Adding a Juniper Firewall Device

Prerequisites

  • General prerequisites:
    • Ensure communication between AppViewX and the firewall is enabled.
    • AppViewX needs an internet or proxy connection to communicate with the firewall via the REST API.
    • Valid firewall account details, including API tokens/keys and user credentials, are necessary.
    • The API must have elevated (admin) permissions to read and modify SSL certificates.
  • IP Address/FQDN: IP address or FQDN
  • User Privilege:
    • Username/Password
    • Credential List AppViewX/CyberArk
  • Enable Password: Required
  • License Check: Not required
  • Services and Port for AppViewX Communication: Port number 22 (SSH)
  • Internet Access/Proxy: Not required
  • Location from which the certificates are discovered if Certificate Managed: Not supported
    Note: For Visual Workflow action items, you will require credentials with write privilege.

Configuring a Juniper Firewall Device

To add a Juniper device,

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. In the Firewall tab, click (Add) icon located upper right corner.
    The Add page appears.
  3. Select the Juniper vendor from the left side bar. bar.
  4. Enter or select the field information in the General Information section.
    Table 8. Field and Description Table
    Field Description
    CI name Name of the CI.
    Platform Select the platform from the drop-down list. The available option is,
    • SRX.
    *Device name Unique custom identifier of your device.
    Data center The data center on which the device has been hosted. Select a Datacenter from the drop-down list or enter a data center name.
    Communication

    The communication mode that firewall devices can be added to AppViewX. The possible communication modes are:

    • IP Address - The IP Address can be IPV4 and it can be either management IP or Self IP of the Firewall device. By default, the IP address has been selected.
    • FQDN - On adding the device with FQDN, it will be resolved to an IP address and communication to the device will be made through it. If the FQDN is resolved to more than one device IP, AppViewX will choose a random IP for communication.
    *IP address/FQDN Enter the IP address or FQDN based on the selected communication mode.
    Data center Select from an existing list or enter a new data center.
    Cert sync Provision to discover and manage the SSL certificates from the firewall devices. The possible Cert syncs are:
    • Managed - All SSL certificates will be discovered and added to AppViewX certificate inventory and used for certificate lifecycle management like renew, revoke, etc.
    • Monitored - All SSL certificates will be discovered and will not have any CA-related communication.
    • Ignored - No SSL certificates will be discovered from the firewall device.
    Note: The certification sync is based on the license applied.
    *: Mandatory fields
  5. Enter or select the field information in the Credentials section:
    Table 9. Field and Description Table
    Field Description
    *Credential type Credentials can be manually provided or stored as a one-time entry onto the credential library and referred at the time of device addition. Select one of the following credential types from the drop-down list:
    • Manual Entry - The user name and password of the device need to be entered with device details. By default, the Manual Entry option is selected.

    • AppViewX Credential List - The user name and password can be added to the List and that entry can be referred to during device addition. The credential lists are integrated within AppViewX application for the secured authentication.

      To create a credential list, see Creating Credential List in the Platform User Guide.
    *Username Username for the firewall device when you select the Manual Entry credential type.
    *Password Valid password for the firewall device when you select the Manual Entry credential type.
    Note: Use strong passwords for secure device communication. Your Passwords can be of any length with a combination of alpha-numerical, symbols, and special characters.
    Expert password Enter the password.
    *: Mandatory fields
  6. Enter or select the field information in the Secondary device information section as follows:

    • Auto-Detect - This option will automatically detect the corresponding secondary devices and add it as a new entry into AppViewX inventory using the Primary device’s credential.

    • Manual Entry - This selection will enable you to manually add Secondary devices with a Sync-group name entered for reference. This name will be used to identify the pairs in the inventory. Follow similar steps.

    • Ignore - This option can be enabled if you need to ignore the detection of the secondary device associated with the current device.

    Note:
    • By clicking the Add button, multiple devices can be added as secondary devices and all the devices will be available in the grid.
    • By managing the Primary and Secondary devices in AppViewX during the device flips, traffic routing and management can be seamlessly handled in AppViewX.
  7. Click the Save button to add an Firewall device.
    Note:
    • To discard the changes, click the Cancel button.
    A pop-up message is displayed as Device added successfully.

Validating the Juniper Device Addition

After adding the device, you can validate the device by searching device in the device inventory.

  1. Go to Menu > FIREWALL+ > DEVICE MANAGEMENT > Inventory> Firewall.
    By default, the Firewall tab opens.
  2. Search the device name and validate whether the device is added successfully.

Discovering Certificates for Firewall

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Managed Devices Scan.
    The Discovery : Managed Devices Scan : Add Discovery page is displayed.
  2. To initiate a managed devices scan, enter the Discover Details.
    1. To specify the frequency at which the certificate discovery scan will be triggered, select the Discovery Run Type.
      Table 10. Discovery run type options
      Field Description
      On-demand The certificate discovery scan will be triggered manually by the user as and when required.
      Scheduled The certificate discovery scan will be triggered automatically at the specified time and date.
    2. Enter the details for initiating an on-demand managed devices certificate discovery scan.
      Table 11. Field descriptions for on-demand discovery
      Field Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters

      OR

      Enter the details for initiating a scheduled managed devices certificate discovery scan.

      Table 12. Field descriptions for scheduled discovery
      Field Description
      Discovery Instance Name Enter a name for the discovery instance.
      Description Enter additional details related to the discovery option.
      Note: Character limit: 2000 characters
      Occurrence Type
      From the dropdown list, from the following options, select an occurrence frequency:
      • Daily
      • Weekly
      • Monthly
      • Yearly
      *Repeat On
      Note: This field is displayed only when Occurrence Type = Weekly.
      Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
      *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
      *Ends From the following options, select when the scheduled discovery is to end:
      • Never: Discovery never stops.
      • After: Discovery stops after the number of occurrences specified in the text field.
      • On: Discovery stops on the date selected using (Calendar widget).
      Summary Displays a summary of the selections made for scheduled discovery
      *: Mandatory fields
  3. In the Discover By section, enter the discovery details.
    Table 13. Instruction for discovering certificates
    Field Description
    *Discovery From From the dropdown list, select Managed Firewalls.
    Devices window A list of all the managed firewall devices is displayed in the devices window.

    To select devices for certificate discovery, select the checkbox(es) for the required devices.

    The devices window has the following option:

    • Add as Favorites: You can mark your frequently used devices as favorites.
    • All: Select this to see the complete list of devices (unfiltered).
    • Selected: Select this to list only the selected devices.
    • Unselected: Select this to list only the unselected devices.
    • Delete: Delete the required devices from the favorites list.
    Execute Batches Sequentially To execute the discovery operation on the specified batches sequentially, select this checkbox.
    *Interval Between Batches If Execute Batches Sequentially is selected, enter an interval duration (in minutes) in this field. The sequential execution of the batches is spaced according to the interval value entered here.
    *: Mandatory fields
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter the following details:
    Table 14. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  6. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
    The discovered certificates are displayed in the certificate inventory.

Enrolling a Server Certificate

Prerequisites

[For Linux-based vendor] OpenSSL is used to generate a private key and a Certificate Signing Request (CSR) as part of the endpoint enrollment process. Ensure that OpenSSL is installed and properly configured on the system before proceeding.

Enrolling a Server Certificate

Server certificate enrollment refers to the process ofcreating a digital ID for an application/web server hosted in the network. It starts with the generation of a key pair (private and public key) and CSR, and then submitting the CSR to the required CA to procure a certificate. CERT+ supports the generation of keypair on the device, HSM, AppViewX. Users can also upload the CSR for enrolling for a digital certificate.

To enroll a server certificate:

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Enroll Certificate > Server
    The Enroll Server Certificate page is displayed.
  2. In the General Information section, from the dropdown list, select the required Assign Group.
  3. Enter the CA Details.
    Table 15. Field descriptions for the CA Details section
    Field Description
    *Certificate Authority From the dropdown list, select the certificate authority to request the certificate enrollment.
    Note: The IDnomic CA can be used for issuing certificates only in an on-prem deployment. Certificates issued through IDnomic CA can be renewed only if they are enrolled using a Registration Authority workflow.
    *Renew Automatically
    Note:
    To automatically renew this certificate:
    1. Turn on the Renew Automatically toggle.

      The *Start Renewing field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the renewal process should start.

      Valid range for number of days: 1 to 120

    Note: The auto renew settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was renewed manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *Regenerate Automatically To automatically regenerate this certificate:
    1. Turn on the Regenerate Automatically toggle.

      The *Start Regenerating field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start.

      Valid range for number of days: 1 to 120

      Note: This value can exceed the certificate's validity in case of short-lived certificates.
    Note:
    • This feature can be enabled only for valid certificates (not for revoked/suspended and expired certificates).
    • The auto regenerate settings from the parent certificate will be transferred to the child certificate only if the toggle was enabled; they will not transfer if the certificate was regenerated manually. After migration, these settings will be disabled for the parent certificate, so enable them manually if needed.
    *Re-enroll Automatically To automatically regenerate this certificate:
    1. Turn on the Re-enroll Automatically toggle.

      The *Start Re-enrollng field is displayed.

    2. In the Days Before Expiry field, specify how many days prior to a certificate's expiry the regeneration process should start.

      Valid range for number of days: 1 to 120

      Note: This value can exceed the certificate's validity in case of short-lived certificates.
    Note: User overrides are allowed unless Group Override is active, in which case the group's configuration takes precendence.
    *CA Account From the dropdown list, select the CA account to which the certificate enrollment request will be submitted.
    Certificate Type From the dropdown list, select the required certificate type.
    *Division
    Note: This field is applicable only for Digicert CA.
    From the dropdown list, select the division with which the certificate will be enrolled.
    Certificate Profile
    Note: This field is displayed for only selected CAs. For the IDnomic CA, this field is displayed when only-CA setting is selected from the CA Account dropdown list.

    From the dropdown list, select the certificate profile with which the certificate must enroll.
    *RA Workflow
    Note: This field is displayed when Certificate Authority = IDnomic and a RA setting is selected from the CA Accounts dropdown list.
    From the dropdown list, select the RA workflow that will be used for certificate enrollment.

    For the details of a workflow, you can check them on your CA portal on IDnomic.

    *Issuer Location
    Note: This field is applicable only for Google CA.

    From the dropdown list, select the issuer location associated with the CA account.
    *Issuer Name
    Note: This field is applicable only for Google CA and AppViewX PKIaaS Native.

    From the dropdown list, select the issuer name for issuing the certificate.
    Template Name
    Note: This field will be displayed only when Certificate Authority = AppViewX Native CA.

    Select a template name from the dropdown list.

    Template Name is editable. The selected template will be displayed in the Template/Profile column of the Server Certificate Inventory irrespective of the Managed/Monitor status. You can also search and filter certificates based on the template name within the CERT+ Inventory.
    *Issuance Policy
    Note: This field is applicable only for Futurex.
    From the dropdown list, select the issuing policy for this certificate.

    An issuance policy defines the rules Futurex must follow to process the certificate enrollment request. The selected issuance policy will determine the approval requirements for the certificate, the cryptographic settings, notification triggeres and other configuration parameters.
    *Root CA
    Note: This field is applicable only for Futurex.
    From the dropdown list, select the root CA for the certificate being enrolled.

    This is the trusted root certificate authority that anchors the certificate chain. All issued certificates will ultimately chain up to this root.
    *Signing CA
    Note: This field is applicable only for Futurex.
    From the dropdown list, select the Certificate Authority that will sign the requested certificate.
    *Extension Profiles
    Note: This field is applicable only for Futurex.
    Extension profiles enable you to further modify your certificates with additional field, attributes, and requirements.

    From the dropdown list, select the extension profile that will be used for the certificate being enrolled.

    To read more on and for instructions to create extension profiles, refer the Futurex documentation. For links, see the References section.

    *Approval Group Name
    Note: This field is applicable only for Futurex.
    An approval group is a predefined set of users or roles authorized to approve the certificate enrollment request.

    From the dropdown list, select the approval group to authorize this enrollment request.

    To read more on and for instructions to create and manage approval groups, refer the Futurex documentation. For links, see the References section.
    *Connector Name Enter a friendly name for the CA connector.

    On saving this form, the name entered here will be displayed in the holistic view.
    Description
    Note: Character limit: 2000 characters

    Enter the description in this field.
    *CSR Generation
    Note: This field is applicable for all CAs except Amazon.

    From the following options, select the required method for generating the CSR:

    • AppViewX: Private key and CSR will be created in AppViewX based on CSR parameters given.
      Note: If auto regeneration has been enabled for this cerificate, AppViewX can be enforced as the default CSR generation source (irrespective of any selections made here) every time the certificate is regenerated. To do this, execute the following db script:
      db.cert_metadata.insertOne({"_id":"CERT_AUTO_REGENERATE_DEFAULT_APPVIEWX_CSR", "flag":true})
    • Upload CSR: You can upload a file that contains the CSR details. This source file will be used to populate the CSR parameters, which will then be submitted to the CA.
      1. Under CSR Generation, select Upload CSR.

        The Please paste your CSR field is displayed.

      2. From the Please paste your CSR field, select Browse.
      3. Navigate to the location of your CSR file, and click Open.
      4. Click Upload.

        On successful upload of this file, the CSR fields are populated with the corresponding details.

    • HSM:
      Note: This option is disabled/not displayed when Certificate Authority = Google, CSC Global, and DigiCert One.
      To generate the private key and the CSR, based on the CSR parameters given in an HSM device:
      1. Under CSR Generation, select HSM.
      2. To enter the configuration details for CSR generation, refer the field descriptions given here.
    • End Point:
      Note: This option is disabled when Certificate Authority = Google and CSC Global.
      To generate the private key and the CSR, based on the CSR parameters given in an endpoint device:
      1. Under CSR Generation, select End Point.
      2. To enter the configuration details for CSR generation, refer the field descriptions given here.
    *: Mandatory fields
    Table 16. Field descriptions for using HSM as the CSR generation source
    Field Description
    *Device Type From the dropdown list, from the following options, select the type of device on which the private key and the CSR will be generated:
    • HSM Devices (AppViewX will directly communicate with the HSM device for the CSR generation.)
    • ADC Devices (The selected ADC device will interact with the HSM to generate the CSR and subsequently transmit the relevant details to AppViewX.)
    *Vendors This field is displayed only when Device Type = ADC Devices.

    From the dropdown list, select the required ADC device vendor.
    Module Number This field is displayed when Device Type = ADC Devices and Vendors = Thales.

    In the event that multiple HSMs are configured on a system, module number is a unique identifier assigned to each HSM.

    In this field, enter the module number assigned to the selected Thales device.
    *Devices From the dropdown list, select the required HSM/ADC device.

    This field is populated based on the Device Type and Vendors selected.

    • For Device Type = HSM Devices

      The dropdown list is populated with HSM devices that were enabled for CSR generation at the time of onboarding and have been successfully onboarded. To read more on onboarding HSM devices in AppViewX, click here.

    • For Device Type = ADC Devices

      The dropdown list is populated with F5 devices that are in the Managed state.

      Currently, AppViewX enables HSM key generation only through F5 devices for the following HSM vendors and their respective supported versions:
      • Fortanix (v14 and onwards)
      • Thales (v12 and onwards)
      • Safenet (v12 and onwards)
    *Key Handler Name This field is displayed when Device Type = HSM Devices.

    Key handler name refers to an identifier used to reference a cryptographic key managed by an HSM device.

    Enter the desired handler name in the field.
    *Key Reference Name This field is displayed when Device Type = ADC Devices.

    Key reference name refers to an identifier used to reference a private key that is stored locally on an ADC device or is securely accessible to the device via an external HSM.

    In this field, enter the reference name assigned to the private key stored in/accessible to the selected ADC device.
    Table 17. Field descriptions for using an endpoint device as the CSR generation source
    Field Description
    Category From the following options, select the ADC device category:
    • ADC
    • Cloud
    • Server
    • WAF
    • Firewall
    Note:
    • Run the following script to enable endpoint CSR generation support for GlobalSignAtlas:
      db.getCollection('cert_metadata').insertOne({
    "_id": "CSR_GENERATION_ENDPOINT_SUPPORTED_VENDOR_GLOBALSIGNATLAS",
    "objectMap": {
        "Server": [
            "ABAP",
            "Web Dispatcher"
        ]
    }
});
    • On selecting GlobalSignAtlas CA, Category is automatically populated as Server.
    Vendor The dropdown list for this field is populated based on the Category selected. From the dropdown list, select the vendor for the end point device.
    Note:
    • On selecting GlobalSignAtlas CA, Vendor is populated with ABAP and Web Dispatcher.
    *Devices This field lists the end point devices present in your environment that belong to the above selected Category and Vendor.
    From the dropdown list, select the end point device on which you want to generate the private key and the CSR.
    Note: On selecting Vendor = Fortinet, both Fortigate and FortiManager devices are populated. Auto-regeneration of certificates with FortiManager as endpoint is not supported.
    *Profile This field is applicable only when Category = Server/WAF. Select a profile from the dropdown list.
    Note: On selection of Vendor = Imperva, CSR generation at the endpoint is supported only for SaaS platforms. Profiles will not be displayed for AWS/on-prem deployments.
    *Tenant This field is applicable only when Category = AD. Enter the tenant ID.
    *Service name From the dropdown list, select the cloud service running on the selected cloud Devices.
    CSR Location This field is applicable only when Category = Server.
    *Template Name This field is applicable only when Category = Firewall.

    Select the required template from the dropdown list.

    Note:
    • This field will be enabled when the Platform = Panorama while onboading PaloAlto device at Menu > CERT+ > Device Management > Inventory> Firewall > Add.
    • Templates and partitions are used to enroll certificates at the template level. To enroll a certificate at the Panorama level, set the template to None.
    Partition This field is applicable only when Category = Firewall.
    *CSR File Name Enter the name of the file that contains the CSR parameters.
    Note:
    • As the extension is already included in the field, ensure that you enter the file name without the file extension.
    • Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as CSR File Location.
    *Key File Name Enter the name of the file that contains the private key details.
    Note:
    • As the extension is already included in the field, ensure that you enter the file name without the file extension.
    • Starting v2023.1.0 FP2, for enrolling Apache server certificates, this field is labeled as Key File Location.
    *Certificate File Name This field is displayed only when Category = Cloud. Enter the certificate file name.
    *Key vault This field is displayed only when Category = Cloud, Vendor = Azure, and Service name = Key Vault (Azure).
    *Service
    Note: This field is displayed when Category = Server and Vendor = Microsoft Server.
    This dropdown list is populated based on the Device selected.

    From the options in the dropdown list, select the service.
    *Exchange Server
    Note: This field is displayed when Category = Server and Vendor = Microsoft Server.
    From the dropdown list, select the name of the MS Exchange server for which the certificate is being enrolled.
  4. For the EJBCA certificate authority, enter the vendor details.
    Table 18. Field descriptions for the EJBCA Vendor Specific Details section
    Field Description
    * End Entity Profile Name From the dropdown list, select the end entity profile name.
    End entity user name Enter the name of the end user entity.
    * Issuer Common Name From the dropdown list, select the issuer common name.
    *Certificate Profile Name From the dropdown list, select the certificate profile name.
    *: Mandatory fields
    Note: When generating a new private key on an endpoint, existing keys (including .txt encrypted key files) are not overwritten immediately.
    • For non–password-protected certificate types (PEM-.crt, PEM-.cer, PEM-.pem, DER-.der, DER-.cer, PKCS7-.p7b, PKCS7-.p7c), the .txt file is decrypted into the original key filename (keyfile.key) during the push. If a key with the same name already exists, it will be replaced.
    • For password-protected certificate types (Default JKS-.jks, JKS-.keystore, PKCS12-.p12, PKCS12-.pfx):
      • During the push , the encrypted .txt file is decrypted into a temporary, timestamped key file (keyfile_.key).
      • This decrypted key is then combined with the certificate to create the final bundled output (e.g., .pfx, .jks).
      • After bundling, the temporary timestamped key file is deleted; Because the decrypted key file is temporary and timestamped, no key replacement occurs, and no existing key files are overwritten.
    This is currently applicable for:
    • Linux vendors - Generic Linux, Apache Linux, Tomcat Linux, and Nginx Linux.
    • Windows vendors - Windows Apache, Windows Tomcat, and Microsoft SQL.
  5. For the certificate being enrolled, enter the CSR Parameters.
    Note: For DigiCert One, all CSR parameters that are assigned static values in the certificate profile will be auto-populated and disabled for editing.
    Table 19. Field descriptions for the CSR Parameters
    Field Description
    Replace PSE File The Replace PSE File checkbox enables users to generate the CSR or private key in the Server. This checkbox is displayed only in the case described below:
    1. Select the CSR Generation radio button as Endpoint.
    2. Select Category as Server, Vendor as ABAP or Web Dispatcher The Profiles dropdown is the only other field displayed below it and is populated with a list of .pse file names.
    3. Select the required Profile from the dropdown. Based on the values selected, the fields in the CSR Parameters section are auto-populated.

    The Replace PSE File checkbox is disabled by default and the SAN details fields in CSR Parameters section are also disabled. Selecting the checkbox will make the SAN details enabled and allow for values to be updated.
    *Common Name Enter the certificate's common name.

    The common name is one of the key values of Certificate Signing Request (CSR) to be present in the certificate. For example, <appviewx>.

    Note: Constraints:
    • Character limit: 64 characters
    • No special characters allowed except en dash (_) and hyphen (-).
    • For VMware vCenter, enter the device's FQDN to avoid certificates being rejected. If left blank, the FQDN will be auto-detected and populated.
    Subject Alternative Name From the dropdown list, select the Subject Alternative Name category for the certificate being enrolled.

    In the corresponding field(s) displayed for the selection made, enter the required values.

    Note:
    • Multiple values must be separated by a comma.
    • After enrollment, the cumulative count of SANs is displayed in the certificate property pop-up window from the holistic view.
    • For VMWare vCenter, enter the device's FQDN to avoid certificates being rejected. If left blank, the FQDN will be auto-detected and populated.
    DNS Mutiple SAN values must be separated by a comma (,).
    Organization The organization name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For VMWare vCenter, this is a mandatory field.
    Organization Unit Organization Unit name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For VMWare vCenter, this is a mandatory field.
    Locality The locality name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For VMWare vCenter, this is a mandatory field.
    State The state name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For VMWare vCenter, this is a mandatory field.
    Country Country name is one of the CSR parameters to be present in the certificate. This field will be auto-filled and editable based on configuration. It must be a 2-letter country code (for example, US, and so on).
    Note:
    • For renewal of the certificate being enrolled, country name is required.
    • For VMWare vCenter, this is a mandatory field.
    Email Address Enter a valid email address of the person responsible for maintaining the certificate.
    Note: For VMWare vCenter, this is a mandatory field.
    *Validity To specify the validity of the certificate being enrolled:
    1. From the first dropdown list, select the number of days/months/years.
    2. From the second dropdown list, select the unit of the duration from the following values: Days/Months/Year.
      For example, if the validity of the certificate is 2 months:
      1. From the first dropdown list, select 2.
      2. From the second dropdown list, select Months.
    Note: The uploaded certificate validity for Globalsign MSSL is set to 365 days.
    Challenge Password Challenge password is one of the CSR parameters to be present in the certificate. Password must contain at least one alphabet (uppercase and lowercase), one number, and one special character.
    Confirm Password Re-enter the password entered in the Challenge Password field.
    *Hash Function The Hash function with which the CSR has to be signed. Any information specific to any CA or vendor has to be covered in the Note section. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note: For Certificate Authority = HydrantID, irrespective of the hash function selected, by default, the CA returns a certificate with SHA256. Therefore, admins must restrict users from creating a certificate with a hash function other than SHA256. To accomplish this, create policy with a single hash value (SHA256).
    *Key Type The key type is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    Note:
    • FortiManager supports only RSA key type of 512, 1024, 1536, 2048, 3072, 4096 bits.
    • VMWare supports only RSA of 2048, 3072, 4096, 7680, 8192 bits and EC key type.
    *Bit Length The bit length is used while creating a private and public key pair. This field will be auto-filled and editable based on the configuration in the selected group’s policy.
    *: Mandatory fields
  6. In the Attachments section, upload any additional documents that are relevant to the enrollment of the certificate (for example, approval emails).
    Table 20. Field descriptions for the Attachments section
    Field Description
    Name Enter a name for the document. This need not be the actual name of the document; it can be an alternate name that will be used for reference only.
    Comments Enter any details relevant to the document being attached.
    Note: Character limit: 2000 characters
    Upload File To upload an attachment:
    1. Click Upload.
    2. Navigate to the location of the document to be uploaded.
    3. Select the document to be document and click Open.

      The selected document is uploaded and listed in the table displayed below these fields in the Attachments section.

      Tip: If you have uploaded multiple attachments, use the Search field to find the required one.
    *: Mandatory fields
  7. In the Certificate Attributes section, enter organization-specific values, for the certificate attributes and custom attributes for the issuing CA, that need to be mentioned along with the CSR.
    These values will not be a part of the certificate but will be available in the AppViewX inventory. For example, cost center.
    Note: This additional information can be used to filter certificate details in the inventory.
  8. Enter the relevant details in the Generic Fields. These are default fields for maintaining the IP address and device information, if required.
    Table 21. Field descriptions for the Generic Fields
    Field Description
    Device Name Enter the name of the device.
    Application IP Address Enter the IP address of the application.
    Tracking ID A free-form business alpha-numerical identifier, included in the audit logs, that may be used to correlate audit log entries (typically enrollment and revocation events)
    Certificate holder Email
    Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA).
    An email address that may be used to send notifications to certificate holder depending on the notification policies configured for the requested workflow
    First name
    Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA).
    First name (as a metadata) associated with the certificate to be enrolled
    Last name
    Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA).
    Last name (as a metadata) associated with the certificate to be enrolled
    Organization
    Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA).
    Organization name (as a metadata) associated with the certificate to be enrolled
    Comment
    Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA).
    Additional information (as a metadata) associated with the certificate to be enrolled
    UUID
    Note: For the IDnomic CA, this field is displayed only when the selected CA account has been configured using a Registration Authority (RA).
    Universal Unique Identifier, or UUID, (as a metadata) associated with the certificate to be enrolled
  9. In the Vendor-Specific Details section, enter the CA-specific details. Some of the CAs will expect additional details other than CSR parameters as meta data for their operational purposes. Details common to all CAs will be taken from the AppViewX user information of the logged in user.
    Table 22. Field descriptions for the common vendor specific details
    Field Description
    Certificate ID The Certificate ID is auto-populated based on the value entered in the Common Name field (in the CSR Parameters section).
    • The Certificate ID can be modified by the user.
    • If the user edits the Certificate ID, any change to the Common Name will not reflect in the Certificate ID.
    • If the user deletes the Certificate ID, the value of the Certificate ID field is set to the Common Name suffixed with the timestamp.
    Table 23. Field descriptions for the CSC Global CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Business Unit Enter the name of the business unit that is requesting the certificate.
    *Organization Contact Enter the email address of the contact in the organization requesting the certificate.
    *Phone Number Enter the phone number of the Organization Contact in the followung format: +<country code>-<phone number>.
    Note: For CSC Global, the phone number is not fetched from the AppViewX user information because of the difference in format.
    *Domain Control Validation Type From the following options in the dropdown list, select the method CSC Global will use for authentication before issuing a certificate:
    • EMAIL: CSC Global will send an approval/confirmation request to the registered email ID. Certificate issuance happens only after approval is received.
    • CNAME: On requesting certificate issuance, CSC Global will provide you with a dynamic string. Add a CNAME record with this string to your DNS settings. CSC will issue the certificate requested only after validating this CNAME record.
    Note: CSC Global will perform domain validation for all CLM actions.
    *: Mandatory fields
    Table 24. Field descriptions for the Custom CA vendor specific details
    Field Description
    *CRL and OCSP required To control the inclusion of CRL and OCSP settings, turn this toggle button on/off as required.
    *: Mandatory fields
    Table 25. Field descriptions for the DigiCert CA vendor specific details
    Field Description
    *Server Type From the dropdown list, select the server on which the application that requires the requested certificate is hosted.
    *Payment Method From the dropdown list, select one from the following payment methods:
    • Bill To Account Balance: This option allows you to pay for the DigiCert certificate using the available balance in your DigiCert account.
      Note: Ensure that the option to bill to account balance is enabled for the account and the account has sufficient balance.
    • Bill To Default Credit Card: This option will charge the cost of the DigiCert certificate to the credit card set as the default payment method in your DigiCert account.
      Note: Ensure that a credit card is configured as the default payment method for your account.
    Additional Email Enter email addresses that will receive notifications for renewals, reissues, and duplicates for the specified order.
    Renewal Message Enter a custom message that will be sent with the renewal notifications.
    Notes Enter a custom note that will be sent with the order.
    *: Mandatory fields
    Table 26. Field descriptions for the DigiCert One CA vendor specific details
    Field Description
    Seat ID Enter the seat ID that will be assigned to the certificate being enrolled.
    Seat ID is a unique user-defined value assigned to identify an entity in the DigiCert One account. The seat ID for a certificate is used for certificate enrollment, renewal, and regeneration.
    Note: The Seat ID field is displayed only if the Allow Seat ID during enrollment option is selected for the CA account. In this case, the value entered in the Seat ID field is now a unique identifier for the certificate being enrolled. Otherwise, a common seat ID is assigned to all certificates enrolled for the selected CA account
    Table 27. Field descriptions for the GlobalSign MSSL CA vendor specific details
    Field Description
    *Profile name A profile name is defined at the time of creating an account on the GlobalSign MSSL portal. AppViewX retrieves all your profile names from the GlobalSign MSSL portal and populates them in this dropdown list.

    From the dropdown list, select the profile name the enrolled certificate should be mapped to.
    *: Mandatory fields
    Table 28. Field descriptions for the Hydrant ID CA vendor specific details
    Field Description
    Expiry Emails Enter a comma-separated list of email addresses that will receive the certificate expiry notification from HydrantID.
    Note: HydrantID CA does not accept updates to these email addresses during the renewal process.
    Table 29. Field descriptions for the Nexus CA vendor specific details
    Field Description
    Procedures The Procedures dropdown list will display only the procedures mapped to the server and the default procedure. From the dropdown list, select the required procedure.
    Table 30. Field descriptions for the LetsEncrypt CA vendor specific details
    Field Description
    *Challenge Type Specifies the method for verifying domain ownership. Select the required domain for the validation. The available challenge types are:
    • HTTP
    • DNS.
    Challenge Verify Determines how the DNS challenge will be verified. Select the required verification process. The available challenge verifies are:
    • Manual
    • Automatic.
    The value Automatic suggests that the system will automatically handle the verification process without manual intervention.
    Note: This field appears when the challenge type is selected as DNS.
    Vendor Indicates the DNS provider responsible for managing DNS records. The available DNS service providers are:
    • Cloudflare
    • Azure.
    Note: This field appears when the challenge verify is selected as Automatic.
    *Settings Allows for additional configuration settings related to the DNS challenge. The selected value None implies that no extra settings are applied.
    Note: This field appears when the challenge verify is selected as Automatic.
    Note:
    • Make sure that you have enabled LetsEncrypt DNS Automation from the workflow.
    • To add new vendors for the integration and configuration, refer to Integration topic in the Automation Guide.
    *: Mandatory fields
  10. Click Add.
    Once the details are added, you will be redirected to a page where the CSR and CA details are added as a connector. This page is called the holistic view and from here, any action on the certificate can be performed including provisioning the certificate to a server.
  11. On the holistic view, click the Submit button to trigger the request.
    The submit action is triggered and the Submit dialog box is displayed.
  12. Enter your comments in the text field and click Yes.
    If the approval required option is enabled in the CA policy, the request is moved to the Approve and Implementation stages.
  13. Click Approve to proceed.
    The Approve dialog box is displayed.
  14. Enter your comments in the text field.
    Note: If the workflow request has to be approved automatically in the future, click the Schedule later button .
  15. Click Yes.
    Once the approval process is complete, the Implement option is displayed in the holistic view.
  16. Click Implement.
    The Implement dialog box is displayed.
  17. Enter your comments in the text field.
    If the workflow request has to be implemented automatically in the future, click Schedule later .
  18. Click Yes.
    CSR Submission to CA is in progress.Once the CSR submission is successful, the request state will be changed to Submit certificate - retrieval in progress state.

    If the enrollment request is compliant with conditions defined and auto-approval enabled in the targeted CA, the certificate will be fetched in a few seconds.

    If auto-approval disabled in the targeted CA, you will have to be logged into the CA and approve the request.

    Once the certificate is issued successfully, the certificate will be retrieved into AppViewX. You can now push the enrolled certificate(s) to the required endpoint.

Adding and Pushing Certificates to Firewall Device

Important: Refer to the pre- and post-push script usage instructions here.

Adding Application Connectors for Firewalls

  1. Enter the General Information for the connector.
    Field Description
    *Category From the dropdown list, select Firewall.

    If the certificate being pushed was enrolled with CSR generation at endpoint, this field is auto populated with the category selected at the time of certificate enrollment.
    *Vendor From the dropdown list, select the required firewall vendor.

    If the certificate being pushed was enrolled with CSR generation at endpoint, this field is auto populated with the vendor selected at the time of certificate enrollment.
    *Connector Name

    Enter a name for this connector, to be able to identify it later.

    AppViewX recommends naming connectors according to use cases so they are easily distinguishable.

    Description Enter any additional details you want to record for this connector.
    Based on the information populated here, the Profile Selection section is populated with the list of available devices for the specified vendor that are already onboarded in AppViewX.
  2. To select the device(s) to which the certificate will be pushed, under Profile Selection:
    1. For CheckPoint Vendor, to filter the available profiles, from the dropdown menu for Available profiles, select a value from the following options:
      • Admin Portal
      • HTTPS Inspection.
    2. For PaloAlto vendor, to filter the available profiles, from the dropdown menu for Available profiles, select a value from the following options:
      • PaloAlto Firewall
        • Shared location
        • SSL/TLS Service profile
        • IKE Gateways
        • SSL Inbound Inspection Profiles
        • Authentication Profiles.
      • Panorama
        • Shared location
        • SSL/TLS Service profile
        • IKE Gateways
        • SSL Inbound Inspection Profiles
        • Authentication Profiles.
    3. From the list of Available Devices displayed, to select the target device(s) for pushing the certificate, click .
    The Selected devices list is updated automatically.
  3. Enter the Certificate Details.
    Table 31. Field descriptions for the Certificate Details
    Field Description
    *Certificate Type From the dropdown list, select the file type of the certificate to be pushed.
    *Certificate File Name Enter the file name of the certificate to be pushed. The file extension is auto-populated based on the Certificate Type selected.
    *Trust Point Name A trustpoint configuration is an element that includes details related to a certificate such as the certificate file, the private key file, the CA certificate, and other settings related to the certificate.

    In the Trustpoint Name field, enter the name of the trustpoint configured on the target system to which the certificate will be pushed.
    Alias Name Enter the certificate alias assigned in the CSR generated for requesting/enrolling the certificate.
    Password Enter the password required to access the certificate file/trust store.
    Private Key Passphrase Enter the password required to access the private key file associated with the certificate.
    Push to Firewall To push the certificate when it is updated directly to the firewall, select this checkbox.
    Trust Type
    Important: Trust type is applicable only for server certificates issued by private CAs with a customized template that issues certificate to the PaloAlto device with Key Usage as Certificate Signing for certificates that have a private key.
    Trust Type defines how a firewall handles SSL/TLS traffic based on whether a certificate is trusted or untrusted.
    Select a trust type status from the following values:
    • Forward Trust

      Select this option to establish the firewall as a trusted third party (proxy) to the session between the client and the server.

      For Trust Type = Forward Trust, if the server's certificate is valid (trusted) and signed by a known, trusted CA (like VeriSign, DigiCert, etc.), the firewall decrypts the traffic, inspects it, and then re-encrypts it using its own certificate, which is trusted by the client due to the configured CA.

    • Forward Untrust

      Select this option for the firewall to notify to clients when the server certificate is signed by a CA that the firewall does not trust.

      For Trust Type = Forward Untrust, if the server’s certificate is self-signed or from an unknown CA, the firewall may re-encrypt the traffic using an untrusted certificate, causing the client to see a warning that the connection is not secure.

    Note: If the certificate trust type was already specified when configuring the certificate on the device, then upon discovery in AppViewX, the trust type field will reflect the same value as configured in the device port.
  4. Enter the Push Details.
    Table 32. Field descriptions for the Push Details
    Field Description
    *Script Location Script files are commonly used to perform certain tasks required to be completed before and/or after a certificate is pushed to the target system.

    The script to be run before the certificate is pushed is called a pre-push script and the script to be run after the push is called a post-push script.

    From the following options, select the location of the script file(s):

    • In AppViewX
    • In Device
    Pre - Push Script File Name Enter the file name of the pre-push script.
    Important: Read the pre and push script usage instructions here.
    Pre - Push Script File Path This field is displayed when Script Location = In Device.
    Enter the location on your local system where the pre-push script file is stored.
    Important: Read the pre and push script usage instructions here.
    Post - Push Script File Name Enter the file name of the post push script.
    Important: Read the pre and push script usage instructions here.
    Post - Push Script File Path This field is displayed when Script Location = In Device.
    Enter the location on your local system where the post-push script file is stored.
    Important: Read the pre and push script usage instructions here.
    Overwrite The Overwrite option is used to specify if existing certificates on the target system will be overwritten with the certificate being pushed.

    If this option is enabled, the certificate being pushed will overwrite any existing certificates with the same identifier on the target system. This will also ensure that only the latest version of the certificate is available on the target system.

    If it is disabled, the push operation will fail in the event of conflicts with the certificates on the target system.
    Push Automatically To automatically push the certificate after it is renewed/reissued to the target system, enable this checkbox.
    Note: The auto push feature for a certificate works only if enabled for the certificate application connector as well the associated certificate group. To enable this feature at the certificate group level, refer the instructions here.
  5. Click Save.
    The connector is displayed on the certificate holistic view.

Pushing a Server Certificate to a Device

  1. Go to (Menu) > CERT+ > CERTIFICATE ACTION > Push to Device > Server.
    The Server Certificate page is displayed.
  2. To push a certificate, under Common Name, click the required certificate.
    The certificate topology view is displayed.
  3. Click Push to Device. The Push to Device option will be shown if the app connector is already added to the certificate otherwise add the app connector and then proceed.
    Note:
    • Only server certificates that include their private keys will be eligible for push operations to cloud connectors.

      After push, during subsequent discovery, when the CC machine is healthy and discovery returns the pushed certificate, the pushed AppConnector should be in Sync status, else the associated AppConnector must be transitioned to an Out of Sync status.

      If a new certificate is pushed to the gateway while the old certificate for the AppConnector still exists in the inventory, then after the next discovery, the AppConnector must move to Out of Sync status for the old certificate.

    • Endpoint CSR generation is not supported for cloud connectors.
    • The Push to Device option is displayed only after an app connector is added to certificate.
    The Confirmation dialog box is displayed.
  4. Enter your comments, if required, in the text field.
  5. Click OK.
    • The approval process is triggered. The current flow is based on the default policy of two-level approvals.
    • A request ID and work order ID are generated automatically and the work order status is displayed alongside the connector in the certificate topology view.
  6. To approve the push request, from the certificate topology view, click Approve.
  7. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The work order status displayed beside the connector updates to Push-Review In Progress.
  8. To implement the push request, from the certificate topology view, click Implement.
  9. In the Confirmation dialog box:
    1. In the Manual Implementation field, to choose the mode of implementation, use the On/Off toggle.
    2. If you select Off, set the date and time to schedule the certificate push.
    3. Enter your comments in the text field and click Yes.
    The push action is triggered. After the push action is completed, the status updates to Completed.
    To refresh the certificate topology view, from the top-right corner of the screen, click Refresh.
    An automatic HTTPS-based verification job is run at regular intervals to validate that certificates are correctly installed after the push operations triggered between the intervals; the system compares served certificates with the expected ones across all associated IP:ports. The data gathered by this job is used to create the Push Validation Report that highlights the proportion of successful versus failed push operations, providing a quick view of overall push reliability.
Note: Every time a certificate is pushed to a shared location in Palo Alto Firewall / Panorama,the user currently needs to log into the device and manually commit the changes. Moving forward, pushing a certificate to the shared location will automatically trigger the commit process. The push operation will only be marked as successful in AppViewX after the commit process successfully completes on the device.

Enabling Auto Renewal of Certificates

To enable auto renewal of certificates, you need to enable the corresponding option for the group to which the certificate in question belongs, as well as the connector created for pushing that certificate.
Note: While you can enable auto push for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto push for a server certificate.
  1. To enable auto renewal for the certificate group:
    1. Go to Menu > CERT+ > Groups & Policies > Groups.
      The Group page is displayed.
    2. From the Name field, select the required certificate group.
      The Group : Modify : <group name> page is displayed.
    3. From the Other Details section of this certificate group, turn on the Renew Automatically toggle button.
    4. Click Update.
  2. To enable auto renewal for the certificate connector:
    1. Go to Menu > CERT+ > Certificate Inventory > Server.
      The Server Certificate inventory is displayed.
    2. From the inventory, for the certificate you want to enable auto renew for, click the common name.
      The holistic view of the selected certificate is displayed.
    3. For an existing CA connector for the certificate, hover over .
    4. From the menu displayed, click Edit.
      The certificate details are displayed.
    5. Under CA Details, turn on the Renew Automatically toggle.
    6. In the Start Renewing field, enter the number of days before expiration when the certificate should be renewed.
    7. Click Update.
      The holistic view of the selected certificate is displayed.
      Note: For the auto renewal process to take effect, set the auto push in the application connector. For instructions, refer to the Enabling Auto Push section.

Enabling Auto Regeneration of Certificates

Enabling Auto Regeneration for a Certificate Group

You can enable and configure the auto regeneration feature at the certificate group level, which will apply to all certificates assigned to that group.

For details and instructions to enable auto regeneration at the certificate group level, click here.

Enabling Auto Regeneration at the Certificate Level

Enabling Auto Regenerate for Certificate Enrollment

While you can enable auto regenerate for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto regenerate for a server certificate.

For details and instructions to enable auto regeneration at the time of server certificate enrollment, click here.

Enabling Auto Regenerate for Discovered Certificates

While you can enable auto regenerate for all types of certificates, for clarity, in this section, we'll look at the instructions for enabling auto regenerate for a server certificate.
  1. Go to Menu > CERT+ > Certificate Inventory > Server.
    The Server Certificate inventory is displayed.
  2. From the inventory, for the certificate you want to enable auto push for, click the common name.
    The holistic view of the selected certificate is displayed.
  3. For an existing CA connector for the certificate, hover over .
  4. From the menu displayed, click Edit.
    The certificate details are displayed.
  5. Under CA Details, turn on the Regenerate Automatically toggle.
  6. In the Start Regenerating field, enter the number of days before expiration when the certificate should be regenerated.
  7. Click Update.
    The holistic view of the selected certificate is displayed.
    Note: For the auto regenerate process to take effect, set the auto push in the application connector. Refer to the Enabling Auto Push section.

Enabling Auto Push of Certificates to Endpoints

After setting the auto renew/regenerate in the CA connector, you must now enable the auto push in the application connector to ensure the renewed/regenerated certificates are pushed to the end device.

To enable auto push of certificates, you need to enable the corresponding option for the group to which the certificate in question belongs, as well as the connector created for that certificate.

  1. To enable auto push for the certificate group:
    1. Go to Menu > CERT+ > Groups & Policies > Groups.
      The Group page is displayed.
    2. From the Name field, select the required certificate group.
      The Group : Modify : <group name> page is displayed.
    3. From the Other Details section of this certificate group, turn on the Push Certificate Automatically toggle button.
    4. Click Update.
  2. To enable auto push for the certificate connector:
    1. From the holistic view, for an existing application connector for the certificate, hover over (More) icon.
      To add an application connector, follow the instructions given here.
    2. From the menu displayed, click Edit.
      The Edit Application Connector pop-up is displayed.
    3. Select the Push automatically checkbox.
      Important: The auto-push feature works only when it is enabled at the connector level and disabled at the group level. If enabled at the group level but disabled at the connector level, the feature will not function.
    4. Click Save.
      The holistic view of the selected certificate is displayed.
      Note: An Auto Renew Certificates job is scheduled to run every 6 hours. It auto renews the configured certificates based on the number of days before expiry. AppViewX will disable the push automatically option in the Parent certificate application connector and enable it in the renewed certificate application connector.
      Note: An Auto Regenerate Certificates job is scheduled every day. It auto regenerates the configured certificates based on the number of days before expiry.