Related Topics
Create a Certificate with FSM or the Management Server
If you have not prepared a certificate, you can create a certificate signing request (CSR) from your Firebox with Firebox System Manager (FSM). You can also create a new certificate for Mobile VPN with the built-in Certificate Authority (CA) Manager on your Management Server.
When you use Firebox System Manager to create a certificate signing request, your Firebox also creates a private key. It is not possible to export this private key from your device. If you want to use the server certificate for a different device, you will need this private key to import the certificate. For an alternative method to create a certificate signing request and private key, see Create a CSR with OpenSSL.
Create a Certificate with FSM
- Start Firebox System Manager for your Firebox.
- Select View > Certificates.
- Click Create Request.
The Certificate Request Wizard starts. - Click Next.
- Select the purpose of the completed certificate.
- If the certificate is to be used to re-encrypt inspected content with an HTTPS proxy, select Proxy Authority.
- If the certificate is to be used to re-encrypt content for a protected web server with an HTTPS proxy, select Proxy Server.
- For all other uses, including VPN, Firebox, or Management Server authentication, select IPSec, Device, Web Server, Other.
- Click Next.
- Type the device name (the host and domain name such as host.example.com), the department the device belongs to, the name of the company the device belongs to, and the city, state or province, and country. These entries are used to create the subject name.
- Click Next.
The wizard creates a subject name based on what you entered in the previous screen. - Type the appropriate information in the DNS Name, IP Address, and User Domain Name text boxes.
- Click Next.
- By default, the certificate uses RSA encryption and 2048-bit key length. Click Next.
HTTPS proxy authority and HTTPS proxy server certificates do not have options for key usage.
- Click Next. Type the type the configuration passphrase.
- Click OK to see the finished CSR.
- Click Copy to copy the Certificate Signing Request to the Windows clipboard.
You must send this CSR to a certificate authority for signature before you can use it with your Firebox. When you import the finished certificate, you must first import the CA certificate used to sign the new certificate with the Other category. - Click Next.
- On the last screen of the wizard, you can:
- Click Import Now to import a certificate.
The Import Certificate/CRL dialog box appears.
For more information about this dialog box, see Manage Device Certificates (WSM). - Click Finish to close the wizard.
Create a Self-Signed Certificate with CA Manager
To connect to CA Manager:
- Open WatchGuard System Manager and connect to the Management Server.
You must type the configuration passphrase to connect. - Select the Device Management tab for the Management Server.
- Click
.
Or, select Tools > CA Manager.
Or, connect directly to WatchGuard WebCenter at https://<IP address of the Management Server>:4130.
To create a new certificate:
- From the CA MANAGER section, select Generate.
The Generate a New Certificate page appears.
- Type the common name, password, and certificate lifetime for the subject.
- For Firebox Authentication users, the common name must agree with the identification information for the XTM device (usually, the device IP address).
- For a generic certificate, the common name is the name of the user.
- To download the certificate after it is generated, select the Download Cert check box.
- Click Generate.