They store private keys for users and devices, effectively allowing the firewall to issue or reissue certificates if the primary Certificate Authority (CA) becomes unavailable, providing a built-in fallback CA to maintain continuous certificate issuance and authentication.

They define trust anchors (root / intermediate Certificate Authorities (CAs)), specify revocation checks (CRL/OCSP), and map certificate attributes (e.g., CN) for user or device authentication.

They allow the firewall to bypass certificate validation entirely, focusing only on username / password-based authentication.

They provide a one-click mechanism to distribute certificates to all endpoints without relying on external enrollment methods.