Managing the Certificate Authority

You can manage various aspects of the certificate authority on the Firebox using the Web-based CA manager.

1. After activating the CA on the Firebox, access the Web-based Certificate Authority Settings pages. You can do this from several locations:
   • From the System Manager Main Menu, select Tools => Advanced => CA Manager.
   • From VPN Manager, select Resources => CA Manager.
   • From VPN Manager, click the CA Manager icon.  

     VPN Manager and Firebox Manager System must first be connected to the Firebox designated as a DVCP server.

2. Enter the Firebox configuration passphrase when prompted.

   The main menu of the Certificate Authority Settings pages appears.

3. From the main menu, select the page you want as follows:

Generate a New Certificate
    Enter a subject common name, organizational unit, password, and certificate lifetime to generate a new certificate.

• For MUVPN users, the common name should match the username of the remote user.
• For Firebox users, the common name should match the Firebox identifier (normally, its IP address).
• For a generic certificate, the common name is the name of the user.

Note: Enter the organizational unit specification only if you are generating certificates for MUVPN users. It is not used with other types of VPN tunnels. The unit name should appear in the following format:

GW:<vpn gateway name>

where is the value of config.watchguard.id in the gateway Firebox's configuration file.

Publish a Certificate Revocation List (CRL)
    Force the CA to publish the CRL to all certificate-holding clients.

Publish the CA Certificate
    Print a copy of the CA (root) certificate to the screen so you can manually save it to the client.

Find and Manage Certificates
    Specify the serial number, subject common name, or subject organizational unit of a certificate to be located in the database. Also, instead of a particular certificate, you can specify that only valid, revoked, or expired certificates are located. The results of the search are displayed on the List Certificates page, as described below.

List and Manage Certificates
    View a list of certificates currently in the database and select certificates to be published, revoked, reinstated, or destroyed. For information on performing these actions on certificates, see the next section.

Upload CA Credentials
    Use this page to force the certificate authority on a particular Firebox to become subordinate to the master CA. The master CA will generate a private key and certificate for the Firebox. Enter the name of the credentials file containing the key and certificate (or click Browse to locate it) to be uploaded to the Firebox.

Upload Certificate Request
    Use this page to import a certificate request from a third party. Specify the subject common name and organizational unit. Enter or browse to locate the certificate signing request file.

Related topics:

Managing certificates from the CA Manager

Restarting the CA

Activating the Certificate Authority on the Firebox

Defining a Firebox as a DVCP Server and CA

Return to Top

Copyright © 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use