Create a Certificate CSR
You can create a certificate signing request (CSR) from your Firebox with Fireware Web UI or Firebox System Manager (FSM). To create a self-signed certificate, you add part of a cryptographic key pair in a CSR and send the request to a Certificate Authority (CA). The CA issues a certificate after the CA receives the CSR and verifies your identity.
If you have FSM or Management Server software installed, you can use these programs to create a CSR for your Firebox. You can also use other tools, such as OpenSSL or the Microsoft CA Server that comes with most Windows Server operating systems. For more information, see Create a CSR with OpenSSL or Sign a Certificate with Microsoft CA. You can also create a new certificate for Mobile VPN with the built-in Certificate Authority (CA) Manager on your Management Server.
We recommend that you use third-party software to generate the CSR. This allows the certificate to be used on another Firebox if you upgrade to a newer model, migrate to another Firebox, or return the Firebox for an RMA replacement.
If you do not have a CA set up in your organization, we recommend that you choose a prominent CA to sign the CSRs you use, except for the Proxy Authority certificate. If a prominent CA signs your certificates, your certificates are automatically trusted by most users. You can also import additional certificates so that your Firebox trusts other CAs.
Proxy Authority Certificates and CSRs
To create a proxy authority certificate for use with the HTTPS-proxy content inspection feature, you must create a CA certificate that can re-sign other certificates. If you create a CSR and have it signed by a prominent CA, it cannot be used as a re-signing CA certificate for content inspection. We recommend that you use the Firebox default proxy authority certificate, or a certificate signed by your own internal CA. For example, if your organization uses Microsoft Active Directory Certificate services, you can use it to sign the certificate so that it will be trusted by clients in your organization. For more information, go to Use Certificates with Outbound HTTPS Proxy Content Inspection.
- Select System > Certificates.
- Click Create CSR.
The CSR Wizard starts.
- Click Next.
- Select the purpose of the completed certificate.
- If the certificate will be used to re-encrypt inspected content with an HTTPS proxy, select Proxy Authority.
- If the certificate will be used to re-encrypt content for a protected web server with an HTTPS proxy, select Proxy Server.
- For all other uses, including VPN, Firebox, or Management Server authentication, select General Use.
- Click Next.
- Type these certificate request details:
- Name (CN) — The CN (Common Name) is the fully qualified domain name of the device you want to secure, such as host.example.com.
- Department Name (OU) — Type the OU (Organizational Unit) that the device belongs to. For example, IT or Sales.
- Company Name (O) — Type the company name that the device belongs to.
- City/Location (L) — Type the city or location where the device is located.
- State/Province (ST) — Type the two-character state or province code where the device is located.
- Country (C) — Type the two-character country code where the device is located.
- Click Next.
The wizard creates a subject name based on the information you entered on the previous page. - Type the appropriate domain information:
- Subject Name — The Subject Name is completed automatically with information from the previous step.
- DNS Name — The DNS name of the device you want to secure, such as host.example.com.
- IP Address — The IP address of the device you want to secure.
- User Domain Name — The administrator email address for the device domain.
- Click Next.
- Select the encryption, key length, and key usage. By default, the certificate uses RSA encryption, 3072-bit key length, and both encryption and signatures for key usage.
HTTPS proxy authority and HTTPS proxy server certificates do not have options for key usage.
- Click Next.
- The generated CSR is displayed.
You must send this CSR to a certificate authority (CA) for signing before you can use it with your Firebox.
For a proxy authority certificate for HTTPS content inspection, you cannot use a public CA because public CA providers do not provide a CA certificate with permission to sign other certificates. We recommend you use an internal CA in your organization.
When you import the finished certificate, you must first import the CA certificate used to sign the new certificate with the General Use category.
- Click Finish & Import to import a certificate.
The Import Certificate dialog box opens. - Click Finish to close the wizard.
- Start Firebox System Manager for your Firebox.
- Select View > Certificates.
- Click Create CSR.
The CSR Wizard starts.
- Click Next.
- Select the purpose of the completed certificate.
- If the certificate will be used to re-encrypt inspected content with an HTTPS proxy, select Proxy Authority.
- If the certificate will be used to re-encrypt content for a protected web server with an HTTPS proxy, select Proxy Server.
- For all other uses, including VPN, Firebox, or Management Server authentication, select General Use.
- Click Next.
- Type these certificate request details:
- Name (CN) — The CN (Common Name) is the fully qualified domain name of the device you want to secure, such as host.example.com.
- Department Name (OU) — Type the OU (Organizational Unit) that the device belongs to. For example, IT or Sales.
- Company Name (O) — Type the company name that the device belongs to.
- City/Location (L) — Type the city or location where the device is located.
- State/Province (ST) — Type the two-character state or province code where the device is located.
- Country (C) — Type the two-character country code where the device is located.
- Click Next.
The wizard creates a subject name based on the information you entered in the previous screen. - Type the appropriate domain information:
- Subject Name — The Subject Name is completed automatically with information from the previous step.
- DNS Name — The fully qualified domain name of the device you want to secure, such as host.example.com.
- IP Address — The IP address of the device you want to secure.
- User Domain Name — The administrator email address for the device domain.
- Click Next.
- Select the encryption, key length, and key usage. By default, the certificate uses RSA encryption, 3072-bit key length, and both encryption and signatures for key usage. Click Next.
HTTPS proxy authority and HTTPS proxy server certificates do not have options for key usage.
- Click Next.
- Type the credentials for a user account with Device Administrator (read/write) privileges.
- Click OK to see the generated CSR.
- Click Copy to copy the Certificate Signing Request to the Windows clipboard.
You must send this CSR to a certificate authority (CA) for signature before you can use it with your Firebox.
For a proxy authority certificate for HTTPS content inspection, you cannot use a public CA because public CA providers do not provide a CA certificate with permission to sign other certificates. We recommend you use an internal CA in your organization.
When you import the finished certificate, you must first import the CA certificate used to sign the new certificate with the General Use category.
- Click Next.
- On the last page of the wizard, you can:
- Click Import Now to import a certificate.
The Import Certificate dialog box opens.
For more information about this dialog box, see Manage Device Certificates (WSM). - Click Finish to close the wizard.
To connect to CA Manager:
- Open WatchGuard System Manager and connect to the Management Server.
You must type the configuration passphrase to connect. - Select the Device Management tab for the Management Server.
- Click .
Or, select Tools > CA Manager.
Or, connect directly to WatchGuard WebCenter at https://<IP address of the Management Server>:4130.
To create a new certificate:
- From the CA MANAGER section, select Generate.
The Generate a New Certificate page opens.
- Type the common name, password, and certificate lifetime for the subject.
- For Firebox Authentication users, the common name must match the identification information for the Firebox (usually, the Firebox IP address).
- For a generic certificate, the common name is the name of the user.
- To download the certificate after it is generated, select the Download Cert check box.
- Click Generate.
When you use Firebox System Manager to create a certificate signing request, your Firebox also creates a private key. It is not possible to export this private key from your device. If you want to use the server certificate for a different device, you will need this private key to import the certificate. For an alternative method to create a certificate signing request and private key, go to Create a CSR with OpenSSL.