Set Up & Administer Your Firebox > Certificates > Create a Certificate with FSM or the Management Server

Create a Certificate with FSM or the Management Server

If you have not prepared a certificate, you can create a certificate signing request (CSR) from your Firebox with Firebox System Manager (FSM). You can also create a new certificate for Mobile VPN with the built-in Certificate Authority (CA) Manager on your Management Server.

When you use Firebox System Manager to create a certificate signing request, your Firebox also creates a private key. It is not possible to export this private key from your device. If you want to use the server certificate for a different device, you will need this private key to import the certificate. For an alternative method to create a certificate signing request and private key, see Create a CSR with OpenSSL.

Create a Certificate with FSM

  1. Start Firebox System Manager for your Firebox.
  2. Select View > Certificates.
  3. Click Create Request.
    The Certificate Request Wizard starts.
  4. Click Next.
  5. Select the purpose of the completed certificate.
  6. If the certificate is to be used to re-encrypt inspected content with an HTTPS proxy, select Proxy Authority.
  7. If the certificate is to be used to re-encrypt content for a protected web server with an HTTPS proxy, select Proxy Server.
  8. For all other uses, including VPN, Firebox, or Management Server authentication, select IPSec, Device, Web Server, Other.

Certificate Request Wizard, select purpose for generating the CSR screen

  1. Click Next.
  2. Type the device name (the host and domain name such as host.example.com), the department the device belongs to, the name of the company the device belongs to, and the city, state or province, and country. These entries are used to create the subject name.

screenshot of Certificate Request Wizard

  1. Click Next.
    The wizard creates a subject name based on what you entered in the previous screen.
  2. Type the appropriate information in the DNS Name, IP Address, and User Domain Name text boxes.

screenshot of Certificate Request Wizard

  1. Click Next.
  2. By default, the certificate uses RSA encryption and 2048-bit key length. Click Next.
    HTTPS proxy authority and HTTPS proxy server certificates do not have options for key usage.

Certificate Request Wizard, specify algorithm, key length, and key usage screen

  1. Click Next. Type the type the configuration passphrase.
  2. Click OK to see the finished CSR.

screenshot of finished Certificate Request Wizard

  1. Click Copy to copy the Certificate Signing Request to the Windows clipboard.
    You must send this CSR to a certificate authority for signature before you can use it with your Firebox. When you import the finished certificate, you must first import the CA certificate used to sign the new certificate with the Other category.
  2. Click Next.
  3. On the last screen of the wizard, you can:
  4. Click Import Now to import a certificate.
    The Import Certificate/CRL dialog box appears.
    For more information about this dialog box, see Manage Device Certificates (WSM).
  5. Click Finish to close the wizard.

Create a Self-Signed Certificate with CA Manager

To connect to CA Manager:

  1. Open WatchGuard System Manager and connect to the Management Server.
    You must type the configuration passphrase to connect.
  2. Select the Device Management tab for the Management Server.
  3. Click Certificate Authority icon.
    Or, select Tools > CA Manager.
    Or, connect directly to WatchGuard WebCenter at https://<IP address of the Management Server>:4130.

To create a new certificate:

  1. From the CA MANAGER section, select Generate.
    The Generate a New Certificate page appears.

Screen shot of the Generate a New Certificate page

  1. Type the common name, password, and certificate lifetime for the subject.
    • For Firebox Authentication users, the common name must agree with the identification information for the XTM device (usually, the device IP address).
    • For a generic certificate, the common name is the name of the user.
  2. To download the certificate after it is generated, select the Download Cert check box.
  3. Click Generate.

See Also

About Certificates

Manage Certificates on the Management Server

Connect to WatchGuard WebCenter

Give Us Feedback     Get Support     All Product Documentation     Technical Search