The advantage of obtaining a certificate from
an external certificate authority (CA) is that the private key does
not leave the firewall. To obtain a certificate from an external
CA, generate a certificate signing request (CSR) and submit it to
the CA. After the CA issues a certificate with the specified attributes,
import it onto the firewall. The CA can be a well-known, public
CA or an enterprise CA.
To use Online Certificate Status Protocol
(OCSP) for verifying the revocation status of the certificate,
Configure
an OCSP Responder before generating the CSR.