This is an expected behavior.
Locally managed Quantum Spark / SMB appliances do not support internal certificate administration. Refer to sk110533.
The appliance should be running R80.20.X (Quantum Spark) or R77.20.75 B2270 or higher (SMB)
To use an external CA:
- In the appliance WebUI, go to VPN > Trusted CAs.
- Import the external root CA [or the sub CA that generated/signed the '.p12' or '.pfx' file] to the firewall's trusted CAs.
- In the VPN endpoint client side, select the authentication method as 'Certificate - P12' or 'Certificate - CAPI' and use the '.p12' or '.pfx' file generated/signed by the external CA that you imported.
- No Active Directory (AD) servers should be configured on the appliance.
- Remote access permissions for RADIUS users should be disabled on the 'Authentication Server' page.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.