Create a Certificate CSR

You can create a certificate signing request (CSR) from your Firebox with Fireware Web UI or Firebox System Manager (FSM). To create a self-signed certificate, you add part of a cryptographic key pair in a CSR and send the request to a Certificate Authority (CA). The CA issues a certificate after the CA receives the CSR and verifies your identity.

If you have FSM or Management Server software installed, you can use these programs to create a CSR for your Firebox. You can also use other tools, such as OpenSSL or the Microsoft CA Server that comes with most Windows Server operating systems. For more information, see Create a CSR with OpenSSL or Sign a Certificate with Microsoft CA. You can also create a new certificate for Mobile VPN with the built-in Certificate Authority (CA) Manager on your Management Server.

We recommend that you use third-party software to generate the CSR. This allows the certificate to be used on another Firebox if you upgrade to a newer model, migrate to another Firebox, or return the Firebox for an RMA replacement.

If you do not have a CA set up in your organization, we recommend that you choose a prominent CA to sign the CSRs you use, except for the Proxy Authority certificate. If a prominent CA signs your certificates, your certificates are automatically trusted by most users. You can also import additional certificates so that your Firebox trusts other CAs.

Proxy Authority Certificates and CSRs

To create a proxy authority certificate for use with the HTTPS-proxy content inspection feature, you must create a CA certificate that can re-sign other certificates. If you create a CSR and have it signed by a prominent CA, it cannot be used as a re-signing CA certificate for content inspection. We recommend that you use the Firebox default proxy authority certificate, or a certificate signed by your own internal CA. For example, if your organization uses Microsoft Active Directory Certificate services, you can use it to sign the certificate so that it will be trusted by clients in your organization. For more information, go to Use Certificates with Outbound HTTPS Proxy Content Inspection.

Related Topics

About Certificates

Manage Certificates on the Management Server

Connect to WatchGuard WebCenter