KB Article | Forcepoint Support

Problem Description

The Forcepoint Endpoint Context Agent (ECA) configuration requires an external Certificate Authority (CA) to sign the endpoint certificates. Certificates signed by the CA are used to secure communication between the NGFW Engine and the endpoint clients.


The fastest and most convenient way is to use an existing CA that has already been used to sign and enroll certificates on the endpoints. If the endpoints do not yet have certificates, you can create a CA and a policy to enroll the new certificates. Import the CA to the SMC as a Trusted Certificate Authority element. For information about creating the Trusted Certificate Authority element, see the Forcepoint Next Generation Firewall Product Guide.

If you want to create a new CA, you can use a tool such as the Microsoft Active Directory Certificate Services (AD CS) tool. For information about AD CS, see http://technet.microsoft.com. Use the instructions in this topic to create the certificate template: https://technet.microsoft.com/en-us/library/cc731242(v=ws.10).aspx. One modification is required to enhance security: on the Extensions tab of the certificate template properties, select Client Authentication Application Policy.

Use the instructions in this topic to export the CA: https://technet.microsoft.com/en-us/library/cc730988(v=ws.10).aspx. When you export the CA, select the base-64 encoded X.509 (.cer) format. Before you import the CA to the SMC, rename the file extension to .crt.

Article Feedback

Thank you for the feedback and comments.