Import a Certificate on a Client Device

When you configure your Firebox to use a certificate for HTTPS content inspection or authentication, you must import that certificate on each client in your network to prevent security warnings in their web browsers. You can perform this import on each individual client device, or use group policies with Microsoft Active Directory to automatically install the certificate for all clients.

For HTTPS Proxy content inspection you can use the default Proxy Authority CA certificate on your device. If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate on your device that is signed by your organization's CA.

For more information on content inspection and certificates, see Use Certificates with HTTPS Proxy Content Inspection.

For instructions on how to export a certificate from your Firebox, see Export a Certificate from Your Firebox.

When you export a certificate from your device, the certificate is saved in PEM format. For some certificate distribution methods, the preferred certificate format for import is the DER format. For information on how to convert certificate formats, see Convert Certificate Format.

Each client operating system and web browser have different methods to import certificates. Instructions for the most common operating system and web browsers are described in the next sections. For other operating systems and browsers, see the manufacturer's documentation.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a non-WatchGuard product, see the documentation and support resources for that product.

Import a Certificate from the Certificate Portal on the Firebox
Import a Certificate on Windows Clients with Internet Explorer
Import a Certificate on Windows Clients with Active Directory Group Policy
Import a Certificate with Mozilla Firefox
Import a Certificate with Mac OS X and Apple Safari
Import a Certificate with an Apple iOS Device
Import a Certificate with an Android Device

Import a Certificate from the Certificate Portal on the Firebox

A client can download and install the Proxy Authority certificate from the Certificate Portal on the Firebox at http://<Firebox IP address>:4126/certportal. For more information, see Certificate Portal.

Import a Certificate on Windows Clients with Internet Explorer

When you install a certificate in the Trusted Root Certification Authorities with Internet Explorer, this enables the entire system, including other programs or services that use the Windows certificate store, to use that certificate. For example, the Google Chrome browser for Windows and Windows Update will also use any installed certificates.

If the certificate is in DER format, you can format the file name with an extension of .der, .cer, or .crt. You can then distribute this certificate to users who can double-click the certificate file to start the Certificate Installer on their system.

To import a certificate with Internet Explorer manually:

Select Tools.
Select Internet Options.
Select the Content tab.
Click Certificates.
Click Import and follow the steps in the Certificate Import Wizard to import the certificates. You must specify the Trusted Root Certification Authorities as the location for the certificate during this process.

Import a Certificate on Windows Clients with Active Directory Group Policy

You can also deploy certificates to your Windows client devices through a group policy object from your Active Directory server. This enables you to update all Windows clients on your domain automatically with the required certificates.

For instructions, see the Microsoft documentation for your operating system:

Windows Server 2012, 2012 R2, and 2016 — Distribute Certificates to Client Computers by Using Group Policy

Import a Certificate with Mozilla Firefox

To import a certificate with Mozilla Firefox:

Select Options.
Select the Advanced tab.
Select the Certificates tab.
Click View Certificates.
Select the Authorities tab.
Click Import.
Browse to select the certificate file, then click Open.
In the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box.
Click OK.
Restart Firefox.

Import a Certificate with Mac OS X and Apple Safari

This process allows Safari and other programs or services that use the Mac OS X certificate store to get access to the certificate.

Open the Keychain Access application.
Select the Certificates category.
Click + (the plus icon button) on the lower toolbar, then find and select the certificate.
Select the System keychain, then click Open.
Or, select the System keychain, then drag-and-drop the certificate file into the list.
Right-click the certificate and select Get Info.
A certificate information window appears.
Expand the Trust category.
In the When using this certificate drop-down list, select Always Trust.
Close the certificate information window.
Type your administrator password to confirm your changes.

Import a Certificate with an Apple iOS Device

To import a certificate with an Apple iOS device, such as an iPhone or iPad, you need to use a DER format certificate file. For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, see Export a Certificate from Your Firebox and Convert Certificate Format.

The certificate file can be distributed to end users in several ways, such as email, website download, iOS configuration profile, or installation by the Simple Certificate Enrollment Protocol (SCEP).

If you receive a certificate file by email or website download, tap the certificate to add it to the device. For example, to add a certificate distributed by email:

Open the Mail app.
Open the email that contains the attached certificate.
Tap the attached certificate.
The Install Profile Dialog appears.
Tap Install.

If a warning message appears, you may safely ignore it at this time and tap Install. This message appears if the iOS device does not trust the signing authority for this certificate.

After you install the certificate, you must enable the certificate in the Certificate Trust Settings if your device has iOS 10.3 or higher:

Select Settings > General > About.
Select Certificate Trust Settings.
In the Enable Full Trust for Root Certificates section, tap the slider for the certificate.
Tap Continue.

Import a Certificate with an Android Device

The instructions to add a certificate to an Android device are different depending on the device manufacturer. These general rules apply:

You must have a version of Android that is 4.3 and higher to add a certificate.
Android supports DER-encoded X.509 certificates. Certain devices require the certificates to be saved with a .crt or .cer file extension.

For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, see Export a Certificate from Your Firebox and Convert Certificate Format.

If you have a copy of the certificate on your device as an email attachment or file download, some devices allow you to tap the certificate to import it to your device.

Open the email application on your Android device.
Open the email that contains the attached certificate.
Tap the attached certificate.
The Name the Certificate dialog box appears.
Type a descriptive name for the certificate.
Tap OK.

To import a certificate saved to the internal storage of an Android device:

In your Android device settings, go to the security settings where certificates and credentials are stored.
Import the certificate.