When you enable content inspection in the HTTPS proxy, the Firebox uses the default self-signed Proxy Authority CA certificate to re-encrypt the traffic. End users will receive a warning in their web browsers because this certificate is an untrusted self-signed certificate. To prevent these warnings, you can import this certificate (or your own certificate) on each client device.
For information on how to export the default Proxy Authority CA certificate from your device, see Export a Certificate from Your Firebox. For information on how to import this certificate on your client devices, see Import a Certificate on a Client Device.
If you cannot easily deploy the certificate with these methods, clients can connect to the Certificate Portal on your Firebox to download and install the root certificate used to sign the Proxy Authority certificate. This certificate might not match the certificate installed for the Proxy Authority, but clients can install this certificate to avoid certificate warnings on browsers.
In Fireware v12.3 and higher, the setup wizards automatically add a default WatchGuard Certificate Portal policy to allow clients to connect to the Certificate Portal.
If the WatchGuard Certificate Portal policy does not exist, it is automatically generated when a user-defined HTTPS, SMTP, IMAP, POP3, TCP-UDP, or Explicit proxy action (TLS capable proxy action) is used directly or indirectly by an enabled policy.
The WatchGuard Certificate Portal policy has these settings:
- Policy Name — WatchGuard Certificate Portal
- Type — WG-Cert-Portal
- From — Any-Trusted and Any-Optional
- To — Firebox
- Port — 4126
Connect to the Certificate Portal
To connect to the Certificate Portal and download the certificate, the client can open a web browser and go to http://<Firebox IP address>:4126/certportal.
To download and install the certificate:
- Open a web browser and go to http://<Firebox IP address>:4126/certportal.
- Click Download.
The certificate downloads to your computer.
- After you download the file, double-click the file and follow the instructions to install the certificate. You must specify the Trusted Root Certification Authorities store as the location for the certificate during this process.
For more information about certificate installation, see Import a Certificate on a Client Device.
Customize the Certificate Portal
The Certificate Portal shares the customization features of the Authentication Portal. You can only customize the Certificate Portal page logo and the page colors. The title and text cannot be modified. For more information, see Customize the Authentication Portal Page.