Print topic

Create a CSR with OpenSSL

The WatchGuard SSL Server default configuration has a self-signed server certificate named TestCert. We recommend that you replace this with your own signed certificate. To create your own signed certificate, you must first create a Certificate Signing Request (CSR). Then you send the CSR to a certificate authority (CA), which issues a signed certificate. WatchGuard SSL supports 1024-bit and 2048-bit SSL certificates.

When you use the default certificate, the browser displays a certificate warning because the distinguished name in the default self-signed certificate does not match your organization, and the certificate is not signed by a trusted certificate authority. If you install a server certificate signed by a well-known (trusted) CA, the certificate warnings do not appear because the browser trusts the certificate.

Before You Begin

You can use OpenSSL to create a private key and certificate signing request. For a list of sites where you can download OpenSSL, see http://www.openssl.org/related/binaries.html.

Use OpenSSL to Generate a CSR

  1. Open a command line interface.
  2. To generate a private key, type openssl genrsa -out wgnet.key 2048.
  3. To generate a CSR with the private key, type openssl req -new -key wgnet.key -out wgnet.csr.
    In this example wgnet.csr is the certificate signing request.

Submit the CSR to a Certificate Authority

Use the CSR to request a certificate from Thawte, Verisign, or another certificate authority (CA). Use the instructions from your CA to submit the CSR. The CA returns to you a signed certificate.

Convert the Private Key to PKCS#8 Format

Before you import the certificate and private key, you must use OpenSSL to convert the private key to PKCS#8 format.

  1. Open a command line interface.
  2. Type openssl pkcs8 -topk8 -in wgnet.key -out wgnet.pk8.
    In this example, wgnet.pk8 is the PKCS#8 private key file.

Add the New CA Certificates to WatchGuard SSL Web UI

Before you add the server certificate, you must add to WatchGuard SSL Web UI all the certificates that the CA provided to you. If the CA sent more than one certificate, you must add each certificate separately. You can add the certificates in any order. When you add the certificates, make sure you disable the certificate revocation control option.

  1. Select Manage System > Certificates.
    The Manage Certificates page appears.

Screenshot of Manage System, Certificates

  1. Click Add Certificate Authority.
    The Add Certificate Authority General Settings page appears.

Screenshot of Manage System, Certificates, Add Certificate Authority

  1. Make sure the Enable Certificate Authority check box is selected.
  2. In the Display Name text box, type the name for this Certificate Authority.
  3. Adjacent to the CA Certificate text box, click Browse and select the location of the certificate for your CA.
    The certificate must be in a PEM or DER format.
  4. In the Revocation Control section, select No certificate revocation checking should be performed.
  5. Click Finish Wizard.
    The CA certificate appears in the Registered Certificate Authorities list.
  6. To add more CA certificates, repeat Steps 3–8.

Add the New Server Certificate to WatchGuard SSL Web UI

If your certificate is a bundled certificate, you must split the certificate before you add it to WatchGuard SSL Web UI.

  1. Select Manage System > Certificates.
    The Manage Certificates page appears.

Screenshot of Manage System > Certificates page

  1. Click Add Server Certificate.
    The Add Server Certificate General Settings page appears.

Screenshot of Manage System > Certificates > Add Server Certificate page

  1. In the Display Name text box, type an identifying name for the certificate. This is the name that appears in the Registered Certificate Authorities list.
  2. Adjacent to the Certificate text box, click Browse and select the location of the server certificate.
    The certificate must be in PEM format.
  3. Adjacent to the Key text box, click Browse and select the location of the private key for the server certificate.
    The key must be a PKCS#8 key in either DER or PEM format.
  4. If you created an encrypted key, in the Passwordtext box, type the correct password for the encrypted key.
  5. Click Save.
  6. Select Administration Service.
    The Manage Administration Service page appears.

Screen shot of the Manage Administration Service page

  1. From the Server Certificate drop-down list, select the certificate you added.
  2. Click Save.

Apply the Server Certificate to Your SSL Device

After you have imported the new server certificate, you can apply it to your SSL device. You can specify only one server certificate.

  1. Select Manage System > Device Settings.
    The Manage Device Settings page appears.
  2. Select the Generaltab.
    The General Settings page appears.

Screen shot ofthe Manage System> Device Settings page, General tab

  1. From the Server Certificate drop-down list, select the server certificate you added in the previous section.
  2. Click Save.

See also

About Certificates

About Manage System

Give us feedback  •   All product documentation  •   Knowledge Base