Manage Device Certificates (Web UI)

You can use Fireware Web UI to view and manage your Firebox certificates. This includes:

  • View a list of the current Firebox certificates and their properties
  • Update Trusted CA certificates
  • Remove a certificate from the Firebox
  • Import a certificate or certificate revocation list (CRL)
  • Export a certificate for re-signing or distribution
  • Create a certificate signing request (CSR)
  • Configure the Firebox Web Server certificate

When you import, update, or delete a certificate on a FireCluster member, the change automatically synchronizes to the other FireCluster member. You do not need to import separate certificates for FireCluster members.

Caution: We strongly recommend you do not delete public CA certificates. If you delete a trusted CA certificate for proxies, some security services might not work.

View Certificates

To view and manage the current list of certificates, select System > Certificates.

Use the drop-down list to filter the display based on certificate type.

Screenshot of the Certificates page in Fireware Web UI

The Certificates list includes:

  • The status of the certificate
  • The import date of the certificate
  • The type of certificate
  • The algorithm used by the certificate (EC, RSA, or DSS)
  • The subject name or identifier of the certificate

To view a certificate, select the certificate, then click Details.

Screenshot of the Certificate Details page

About Certificate Status

Signed — The certificate is valid and available for use.

Revoked — The certificate has been revoked through the Certificate Revocation List (CRL) by the issuing Certificate Authority (CA) before the expiration date.

Expired — The certificate has expired.

Not yet valid — The certificate's validity start date is in the future and does not match the date and time of the Firebox.

Pending — The certificate signing request has been created. The matching signed certificate has to be uploaded for this certificate to be ready for use.

Remove a Certificate

When you remove a certificate, it can no longer be used for authentication. If you remove one of the automatically generated certificates, such as the self-signed certificate used by default for the proxy, your Firebox creates a new self-signed certificate for this purpose the next time it reboots. The device does not create a new self-signed certificate automatically if you have imported a different certificate.

The Proxy Authority certificate must not be removed and the Firebox left with no certificate. The Firebox automatically replaces the missing certificate with a default certificate if the device restarts.

If you delete a trusted CA certificate for proxies, some security services might not work.

You cannot remove a certificate from the Firebox if it is used in Branch Office VPN (BOVPN) IPSec tunnel configuration.

To remove a certificate from the device:

  1. Select System > Certificates.
  2. Select the certificate in the Certificates dialog box.
  3. Click Remove.
    The Remove Certificate dialog box opens.
  4. Click OK.
    The Certificate is deleted.

Export a Certificate

You can export a certificate for re-signing by a trusted CA, or for distribution to clients on your network. The certificate is saved in PEM format.

  1. Select System > Certificates.
  2. Select a certificate, then click Export.

Update Trusted CA Certificates

Your Firebox can automatically get new versions of the trusted CA certificates stored on the Firebox and automatically install the new certificates. This update makes sure that all the trusted CA certificates on your Firebox are the latest version. Any expired certificates are updated, and new trusted CA certificates are added to your Firebox. The updated certificates are downloaded from a secure WatchGuard server. The Firebox checks for updates every 48 hours.

Screenshot of the Trusted Certificate Authorities page

  1. Select System > Certificates.
  2. Select the Enable automatic updates of CA certificates check box.
  3. Click Update Trusted CA Certificates to update your trusted CA certificates immediately. You can select from these options:

Screenshot of the Update Trusted CA page

  • Download the latest versions of the Trusted CA certificates
  • Add an additional Trusted CA certificate (Base64 PEM)

Import a Certificate

You can import a certificate from the Windows clipboard or from a file on your local computer. Certificates must be in Base64 PEM encoded format or PFX file format.

Before you import a certificate to use with the proxy content inspection feature, you must import each previous certificate in the chain of trust of the type General Use. Start with the root CA certificate and proceed to the final certificate in the chain of trust, in that order.

To import a CA certificate for your Firebox to use to validate other certificates when they are imported and create a chain of trust, make sure to select the General Use category when you import the CA certificate and do not include the private key.

About PFX Files

A PFX certificate bundle contains all the required certificates and private key, and is uploaded as a single file.

To use a PFX bundle for HTTPS content inspection, you must have two PFX files:

  • The first proxy authority PFX file must have the root CA certificate that issued the proxy authority certificate, and the proxy authority certificate with its private key.
  • The second proxy server PFX file must have the root CA certificate that issued the proxy server certificate, and the proxy server certificate with its private key.

About Certificate Functions

General Use — Select this option for root or intermediate CA certificates, VPN tunnel, web server, or other certificates.

Proxy Authority(re-signing CA certificate for outbound content inspection) — Select this option if the certificate is for a proxy policy that manages web traffic requested by users on trusted or optional networks from a web server on an external network. A certificate you import for this purpose must be a CA certificate. Before you import the CA certificate used to re-encrypt traffic with a proxy, make sure the CA certificate used to sign this certificate was imported with the General Use category.

Proxy Server(server certificate for inbound content inspection) — Select this option if the certificate is for a proxy policy that manages web traffic requested by users on an external network from a web server protected by the Firebox. Before you import the proxy server certificate used to re-encrypt traffic from a web server, make sure the CA certificate used to sign this certificate was imported with the General Use category.

For more information, go to About Certificates, Use Certificates with Outbound HTTPS Proxy Content Inspection, and SMTP-Proxy: STARTTLS Encryption.

Import Certificate with Fireware Web UI

  1. Select System > Certificates.
    The Certificates page opens.
  2. Click Import Certificate.
    The Import Certificate Wizard opens.

Screenshot of the Certificate Import Wizard start page

  1. Click Next.
  2. On the Certificate Function page, select the intended function for the certificate.

Screenshot of the Certificate Import Wizard certificate function page

  1. If you selected Proxy Server:

    • To make this the default Proxy Server certificate, select the Import as default Proxy Server check box. This will remove the option to specify a Certificate Display Name.
    • Type the certificate name in the Certificate Display Name text box, you can specify a name that helps you identify this certificate. If the certificate name already exists, and you want to overwrite the current certificate, select the Overwrite if certificate already exists check box.

Screenshot of the Certificate Import Wizard proxy server page

  1. Click Next.
  2. On the Import Type page, select the Base64 (PEM) certificate or PFX file certificate type.

Screenshot of the Certificate Import Wizard certificate type page

  1. If you selected Base64 (PEM) certificate, you can click Browse to select and load the certificate from a file, or copy and paste the PEM certificate contents in the text box. If the certificate includes a private key, type the password to decrypt the key.

Screenshot of the Certificate Import Wizard import Base64 PEM page

If you selected PFX file, type the PFX File Password, and click Browse to select the PFX file to upload.

Screenshot of the Certificate Import Wizard import PFX file page

  1. Click Next.
    The certificate is added to the Firebox.

Screenshot of the Certificate Import Wizard finished page

  1. Click Finish.
  1. Follow the steps for a certificate signing request outlined in Create a Certificate CSR .
  2. On the last page of the wizard, click Finish & Import.
    The Import Certificate page opens.
  3.  Select the option that matches the function of the certificate:

Screenshot of the import certificate dialog box

  1. If you selected Proxy Server:

    • To make this the default Proxy Server certificate, select the Import as default Proxy Server check box. This will remove the option to specify a Certificate Display Name.
    • Type the certificate name in the Certificate Display Name text box, you can specify a name that helps you identify this certificate. If the certificate name already exists, and you want to overwrite the current certificate, select the Overwrite if certificate already exists check box.

Screenshot of the Certificate Function page in the Import Certificate wizard

  1. From the Certificate Type drop-down list, select the Base64 (PEM) certificate or PFX file type.

 

If you selected Base64 (PEM) certificate, you can load the certificate from a file, or copy and paste the PEM certificate contents in the text box. If the certificate includes a private key, type the password to decrypt the key.

Screenshot of the Base64 certificate type option on the Certificate Type page

If you selected PFX file, type the PFX File Password, and click Choose File to select the PFX file to upload.

Screen shot of the PFX file import options

  1. Click OK.
    The certificate is added to the Firebox.

Import a CRL

You can import a certificate revocation list (CRL) that you have previously downloaded from your local computer. CRLs are used only to verify the status of certificates used for VPN authentication. Certificates must be in PEM (Base64) encoded format.

  1. Select System > Certificates.
  2. Click Import CRL.

Screen shot of import CRL page

  1. Click Browse and find the file.
  2. Click Import.
    The Import CRL dialog box opens.
  3. Click OK.
    The CRL you specified is appended to the CRL on your device.

Create a Certificate Signing Request (CSR)

You can create a certificate signing request (CSR) from your Firebox with Fireware Web UI or Firebox System Manager (FSM). To create a self-signed certificate, you add part of a cryptographic key pair in a CSR and send the request to a CA (Certificate Authority). The CA issues a certificate after the CA receives the CSR and verifies your identity.

For more information on how to create a certificate signing request, go to Create a Certificate CSR .

Configure the Firebox Web Server Certificate

The Firebox uses a default Web Server certificate for user connections to the Firebox, such as management connections.

When users connect to your Firebox with a web browser, they often see a security warning. This warning occurs because the default certificate is not trusted, or because the certificate does not match the IP address or domain name used for authentication. To configure the Firebox Web Server certificate, go to Configure the Firebox Web Server Certificate.

You can also use a third-party or self-signed certificate that matches the IP address or domain name for user authentication. You must import that certificate on each client browser or device to prevent the security warnings. For more information on how to import and install a third-party Web Server certificate, go to Import and Install a Third-Party Web Server Certificate.

Related Topics

About Certificates

Configure the Firebox Web Server Certificate

Certificates for Mobile VPN With IPSec Tunnel Authentication (Web UI)

Certificates for Branch Office VPN (BOVPN) Tunnel Authentication