Certificate Portal

When you enable content inspection in the HTTPS proxy, the Firebox uses the default self-signed Proxy Authority CA certificate to re-encrypt the traffic. End users will receive a warning in their web browsers because this certificate is an untrusted self-signed certificate. To prevent these warnings, you can import this certificate (or your own certificate) on each client device.

For information on how to export the default Proxy Authority CA certificate from your device, go to Export a Certificate from Your Firebox. For information on how to import this certificate on your client devices, go to Import a Certificate on a Client Device.

If you cannot easily deploy the certificate with these methods, clients can connect to the Certificate Portal on your Firebox to download and install the root certificate used to sign the Proxy Authority certificate. This certificate might not match the certificate installed for the Proxy Authority, but clients can install this certificate to avoid certificate warnings on browsers.

The Certificate Portal is available in Fireware v11.11.2 and higher.

In Fireware v12.3 and higher, the setup wizards automatically add a default WatchGuard Certificate Portal policy to allow clients to connect to the Certificate Portal.

If the WatchGuard Certificate Portal policy does not exist, it is automatically generated when a user-defined HTTPS, SMTP, IMAP, POP3, TCP-UDP, or Explicit proxy action (TLS capable proxy action) is used directly or indirectly by an enabled policy.

The WatchGuard Certificate Portal policy has these settings:

  • Policy Name — WatchGuard Certificate Portal
  • Type — WG-Cert-Portal
  • From — Any-Trusted and Any-Optional
  • To — Firebox
  • Port — 4126

Screen shot of Policy page with Certificate Portal rule

Connect to the Certificate Portal

To connect to the Certificate Portal and download the certificate, the client can open a web browser and go to http://<Firebox IP address>:4126/certportal.

Screenshot of the Certificate Portal page

To download and install the certificate:

  1. Open a web browser and go to http://<Firebox IP address>:4126/certportal.
  2. Click Download.
    The certificate downloads to your computer.
  3. After you download the file, double-click the file and follow the instructions to install the certificate. You must specify the Trusted Root Certification Authorities store as the location for the certificate during this process.

For more information about certificate installation, go to Import a Certificate on a Client Device.

Customize the Certificate Portal

The Certificate Portal shares the customization features of the Authentication Portal. You can only customize the Certificate Portal page logo and the page colors. The title and text cannot be modified. For more information, go to Customize the Authentication Portal Page.

Related Topics

About Certificates

About the HTTPS-Proxy

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)