Manage Device Certificates (WSM)
In Firebox System Manager, you can:
- See a list of the current Firebox certificates and their properties
- Update the trusted CA certificates
- Delete a certificate from the device
- Export a certificate for re-signing or distribution
- Import a certificate or certificate revocation list (CRL)
When you import, update, or delete a certificate on a FireCluster member, the change automatically synchronizes to the other FireCluster member. You do not need to import separate certificates for FireCluster members.
Caution: We strongly recommend you do not delete public CA certificates. If you delete a trusted CA certificate for proxies, some security services might not work.
View Certificates
To see the current list of certificates:
- Open Firebox System Manager.
- Select View > Certificates.
The Certificates dialog box opens.
In this dialog box, you can see a list of all certificates and certificate signing requests (CSRs). The list includes:
- The status and type of the certificate
- The algorithm used by the certificate (EC, RSA, or DSA)
- The subject name or identifier of the certificate
To filter the display based on certificate type, click the Show drop-down list. To sort the list, click on any column header.
- To see additional information about a certificate in the list, select the certificate and click Details.
The Certificate Details dialog box opens. You can see which CA signed the certificate and the certificate fingerprint. You can use this information to troubleshoot or uniquely identify certificates.
About Certificate Status
Signed — The certificate is valid and available for use.
Revoked — The certificate has been revoked through the Certificate Revocation List (CRL) by the issuing Certificate Authority (CA) before the expiration date.
Expired — The certificate has expired.
Not yet valid — The certificate's validity start date is in the future and does not match the date and time of the Firebox.
Pending — The certificate signing request has been created. The matching signed certificate has to be uploaded for this certificate to be ready for use.
Update Trusted CA Certificates
Your Firebox can automatically get new versions of the trusted CA certificates stored on the Firebox and automatically install the new certificates. This update makes sure that all the trusted CA certificates on your Firebox are the latest version. Any expired certificates are updated, and new trusted CA certificates are added to your device. The updated certificates are downloaded from a secure WatchGuard server. The Firebox checks for updates every 24 hours.
To enable automatic updates:
- Open Policy Manager and then select Setup > Certificates.
- Select the Enable automatic update of trusted CA certificates check box.
- Click OK.
Delete a Certificate
When you delete a certificate, it can no longer be used for authentication. If you delete one of the automatically generated certificates, such as the self-signed certificate used by default for the proxy, your Firebox creates a new self-signed certificate for this purpose the next time it reboots or when you use the upgrade certificate command in the Command Line Interface (CLI). The Firebox does not create a new self-signed certificate automatically if you have imported a different certificate.
Caution: Traffic will fail if you delete certain certificates, such as the Proxy Authority or the Proxy Server certificates, without a replacement. If you delete a trusted CA certificate for proxies, some security services might not work. A good practice is to add the new certificate before you delete the old certificate.
You cannot remove a certificate from the Firebox if it is used in Branch Office VPN (BOVPN) IPSec tunnel configuration.
- Select the certificate in the Certificates dialog box.
- Click Delete.
The Remove Certificate dialog box opens. - In the User Name and Passphrase text boxes, type the credentials for a user account with Device Administrator (read/write) privileges.
- Click OK.
The Certificate is deleted.
Import a CRL
You can import a certificate revocation list (CRL) that you have previously downloaded from your local computer. CRLs are used only to verify the status of certificates used for VPN authentication. Certificates must be in PEM (base64) encoded format.
- Click Import CRL.
- Click Browse and find the file and then click OK.
- In the User Name and Passphrase text boxes, type the credentials for a user account with Device Administrator (read/write) privileges.
- Click OK.
The CRL you specified is appended to the CRL on your device.
Import a Certificate
You can import a certificate from the Windows clipboard, or from a file on your local computer. Certificates must be in Base64 PEM encoded format or PFX file format.
In Fireware v12.2.1 or lower, before you import a certificate to use with the proxy content inspection feature, you must import each previous certificate in the chain of trust of the type General Use. Start with the root CA certificate and proceed to any intermediate CA certificates.
About PFX Files
A PFX file is a password protected certificate bundle archive file that contains the entire certificate chain and matching private key. A PFX bundle contains all the required certificates, and is uploaded as a single file.
About Certificate Functions
General Use — Select this option for root or intermediate CA certificates, VPN tunnel, web server, or other certificates.
Proxy Authority (re-signing CA certificate for outbound content inspection) — Select this option if the certificate is for a re-signing CA certificate for outbound content inspection.
Proxy Server (web server certificate for inbound content inspection) — Select this option if the certificate is for a server certificate for inbound content inspection.
For more information, go to About Certificates and Use Certificates with Outbound HTTPS Proxy Content Inspection.
Import Certificate with Firebox System Manager
- Open Firebox System Manager.
- Select View > Certificates.
The Certificates dialog box opens. - Click Import Certificate.
The Certificate Import Wizard opens.
- Click Next.
- On the Certificate Function page, select the option that matches the function of the certificate:
- If you selected Proxy Server:
- To make this the default Proxy Server certificate, select the Import as default Proxy Server check box. This will remove the option to specify a Certificate Display Name.
If you are importing a certificate for inbound SMTP content inspection, it must be loaded as the default certificate.
- Type the certificate name in the Certificate Display Name text box, you can specify a name that helps you identify this certificate. If the certificate name already exists, and you want to overwrite the current certificate, select the Overwrite if certificate already exists check box.
- Click Next.
- From the Certificate Type page, select the Base64 (PEM) certificate or PFX file certificate type.
If you selected Base64 (PEM) certificate, you can click Browse and select and load the certificate from a file, or copy and paste the PEM certificate contents in the text box.
If you selected PFX file, type the PFX File Password, and click Choose File to select the PFX file to upload.
- Click Next.
The certificate is added to the Firebox.
- Click Finish.
In Fireware v12.2 or lower, click Import certificate on the Fireware System Manager > Certificates dialog box and begin with Step 5.
- Open Firebox System Manager.
- Select View > Certificates.
The Certificates dialog box opens. - Follow the steps for a certificate signing request outlined in Create a Certificate CSR .
- On the last page of the wizard, click Import Now.
The Import Certificate dialog box opens.
- Select the option that matches the function of the certificate:
- If you selected Proxy Server:
- To make this the default Proxy Server certificate, select the Import as default Proxy Server check box. This will remove the option to specify a Certificate Display Name.
- Type the certificate name in the Certificate Display Name text box, you can specify a name that helps you identify this certificate. If the certificate name already exists, and you want to overwrite the current certificate, select the Overwrite if certificate already exists check box.
- From the Certificate Type drop-down list, select the Base64 (PEM) certificate or PFX file type.
- If you selected Base64 (PEM) certificate, you can load the certificate from a file, or copy and paste the PEM certificate contents in the text box.
If you selected PFX file, type the PFX File Password, and click Choose File to select the PFX file to upload.
- Click Import Certificate.
The certificate is added to the Firebox.