Import a Certificate on a Client Device

When you configure your Firebox to use a certificate for HTTPS content inspection or authentication, you must import that certificate on each client device in your network to prevent security warnings in their web browsers. You can perform this import on each individual client device, or use group policies with Microsoft Active Directory to automatically install the certificate for all clients.

For HTTPS Proxy content inspection, you can use the default Proxy Authority Certificate Authority (CA) certificate on your device. If your organization already has a Public Key Infrastructure (PKI) set up with a trusted CA, you can import a certificate on your device that is signed by the internal CA.

For more information on content inspection and certificates, go to Use Certificates with Outbound HTTPS Proxy Content Inspection.

For instructions on how to export a certificate from your Firebox, go to Export a Certificate from Your Firebox.

When you export a certificate from your device, the certificate is saved in PEM format. For some certificate distribution methods, the preferred certificate format for import is the DER format. For information on how to convert certificate formats, go to Convert Certificate Format.

Each client operating system and web browser has different methods to import certificates. Instructions for the most common operating systems and web browsers are described in the next sections. For other operating systems and browsers, go to the manufacturer's documentation.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you require more information or technical support about how to configure a non-WatchGuard product, go to the documentation and support resources for that product.

Import a Certificate from the Certificate Portal on the Firebox

A client can download and install the Proxy Authority certificate from the Certificate Portal on the Firebox.

To download and install the certificate:

  1. Open a web browser and go to http://<Firebox IP address>:4126/certportal.
  2. Click Download.
    The certificate downloads to your computer.
  3. After you download the file, double-click the file and follow the instructions to install the certificate. You must specify the Trusted Root Certification Authorities store as the location for the certificate during this process.

For more information, go to Certificate Portal.

Import a Certificate on Windows Clients with Microsoft Edge

When you install a certificate in the Trusted Root Certification Authorities with Microsoft Edge, this enables the entire system, including other programs or services that use the Windows certificate store, to use that certificate for the current user.

To import a certificate with Microsoft Edge manually:

  1. Select the Settings and more menu in the Microsoft Edge browser.
  2. Select Settings.
  3. In the left navigation pane, enter certificates in the Search settings text box.
  4. Select the Manage certificates search result.
    The Certificates dialog box opens.
  5. Select the Trusted Root Certification Authorities tab.
  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates. You must specify the Trusted Root Certification Authorities as the location for the certificate during this process.

Import a Certificate on MacOS Clients with Microsoft Edge

When you install a certificate in the Trusted Root Certification Authorities with Microsoft Edge, this enables the entire system, including other programs or services that use the Windows certificate store, to use that certificate for the current user.

To import a certificate with Microsoft Edge manually:

  1. Select the Settings and more menu in the Microsoft Edge browser.
  2. Select Settings.
  3. In the left navigation pane, enter certificates in the Search settings text box.
  4. Select the Manage certificates search result.
    The Certificates dialog box opens.
  5. Select the Trusted Root Certification Authorities tab.
  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates. You must specify the Trusted Root Certification Authorities as the location for the certificate during this process.

Import a Certificate on Windows Clients with Active Directory Group Policy

You can also deploy certificates to your Windows client devices through a group policy object from your Active Directory server. This enables you to update all Windows clients on your domain automatically with the required certificates.

For Windows Server 2012, 2012 R2, and 2016, go to Distribute Certificates to Client Computers by Using Group Policy.

For more information, go to the Microsoft documentation for your operating system.

Import a Certificate with Mozilla Firefox

You can manually import a certificate with Firefox or configure Firefox to automatically trust certificates in the Windows Certificate Store.

Manual Import

To manually import a certificate with Mozilla Firefox:

  1. Select Options.
  2. Select the Advanced tab.
  3. Select the Certificates tab.
  4. Click View Certificates.
  5. Select the Authorities tab.
  6. Click Import.
  7. Browse to select the certificate file, then click Open.
  8. In the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box.
  9. Click OK.
  10. Restart Firefox.

Use the Windows Certificate Store

To make certificate deployment easier, you can also configure Mozilla Firefox version 49 and higher to use the Windows Certificate Store. For example, if you deploy a certificate through Group Policy to the Windows Certificate Store, Firefox will automatically trust that certificate. For more information about Windows Certificate Store support in Firefox, go to the Mozilla Wiki.

To configure Firefox on a single computer to use the Windows Certificate Store:

  1. In the Firefox address bar, type about:config.
  2. If a warning appears, click to continue.
    A list of preferences opens.
  3. Scroll down to find the preference security.enterprise_roots.enabled and make sure it is set to True.
  4. If the preference security.enterprise_roots.enabled does not exist, you must add it:
    1. Right-click anywhere on the preferences list and select New > Boolean.
      The New Boolean Value dialog box opens.
    2. Type security.enterprise_roots.enabled and click OK.
      The Enter Boolean Value dialog box opens.
    3. Select True and click OK.
  5. For the new setting to take effect, toggle the preferences off and on, or restart Firefox.

To configure Firefox on multiple computers to use the Windows Certificate Store:

  1. Create a .cfg file encoded as ANSI with these commands.
    lockPref("security.enterprise_roots.enabled", true);
  2. Create a .js file encoded as ANSI with these commands. The .js file references the .cfg file you created.
    pref("general.config.obscure_value", 0);
    pref("general.config.filename", "[file name].cfg");
  3. Save the .cfg file to the root Firefox folder at:
    • For 64-bit Windows, 32-bit Firefox — C:\Program Files (x86)\Mozilla Firefox\
    • For 64-bit Windows, 64-bit Firefox — C:\Program Files\Mozilla Firefox
    • For 32-bit Windows — C:\Program Files\Mozilla Firefox
  4. Save the .js file to the defaults\pref folder at C:\Program Files (x86)\Mozilla Firefox\defaults\pref.

To distribute the .js and .cfg files to Windows computers on your network, you can use Group Policy or a scripted Firefox installation.

To use Group Policy to distribute the files:

  1. In Group Policy Manager, create a new group policy object.
  2. Right-click the object and select Edit.
    The Group Policy Management Editor dialog box opens.
  3. Select Computer Configuration > Preferences > Windows Settings > Files.
  4. Right-click the Files section and select New > File.
  5. Adjacent to the Source File(s) text box, browse to the .cfg file.
  6. Adjacent to the Destination File(s) text box, specify C:\Program Files (X86)\Mozilla Firefox\[file name].cfg for 64-bit Windows or C:\Program Files\Mozilla Firefox for 32-bit Windows. For 64-bit Windows with 64-bit Firefox, specify C:\Program Files\Mozilla Firefox. The .cfg file will install on user computers at this location.
  7. Repeat Steps 1—5. Adjacent to the Destination File(s) text box, specify C:\Program Files\Mozilla Firefox\[file name].cfg for 64-bit Windows or C:\Program Files\Mozilla Firefox for 32-bit Windows. For 64-bit Windows with 64-bit Firefox, specify C:\Program Files\Mozilla Firefox. The .cfg file will install on user computers at this location.
  8. Repeat Steps 1—4.
  9. Adjacent to the Source File(s) text box, browse to the .js file.
  10. Adjacent to the Destination File(s) text box, specify C:\Program Files (X86)\Mozilla Firefox\defaults\pref\[file name].js for 64-bit Windows or C:\Program Files\Mozilla Firefox\defaults\pref\[file name].js for 32-bit Windows. For 64-bit Windows with 64-bit Firefox, specify C:\Program Files\Mozilla Firefox. The .js file will install on user computers at this location.
  11. Repeat Steps 1—4.
  12. Adjacent to the Source File(s) text box, browse to the .js file.
  13. Adjacent to the Destination File(s) text box, specify C:\Program Files\Mozilla Firefox\defaults\pref\[file name].js for 64-bit Windows or C:\Program Files\Mozilla Firefox\defaults\pref\[file name].js for 32-bit Windows. For 64-bit Windows with 64-bit Firefox, specify C:\Program Files\Mozilla Firefox. The .js file will install on user computers at this location.
  14. Click OK.

To perform a scripted Firefox installation, go to the Mozilla installation configuration documentation.

Import a Certificate with macOS and Apple Safari

This process allows Safari and other programs or services that use the macOS certificate store to get access to the certificate.

  1. In the Keychain Access application, select either the login or System keychain.
  2. Drag-and-drop the certificate file into the Keychain Access application.
  3. If prompted, type the name and password for an administrator user.
  4. Right-click the certificate and select Get Info.
    A certificate information window opens.
  5. Expand the Trust category.
  6. In the When using this certificate drop-down list, select Always Trust.
  7. Close the certificate information window.
  8. Type your administrator password to confirm your changes.

Import a Certificate with an Apple iOS Device

To import a certificate with an Apple iOS device, such as an iPhone or iPad, you must use a DER format certificate file. For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, go to Export a Certificate from Your Firebox and Convert Certificate Format.

The certificate file can be distributed to users in several ways, such as email, website download, iOS configuration profile, or installation by the Simple Certificate Enrollment Protocol (SCEP).

If you receive a certificate file by email or website download, tap the certificate to add it to the device. For example, to add a certificate distributed by email:

  1. Open the Mail app.
  2. Open the email that contains the attached certificate.
  3. Tap the attached certificate.
    The Install Profile Dialog opens.
  4. Tap Install.

If a warning message appears, you may safely ignore it at this time and tap Install. This message appears if the iOS device does not trust the signing authority for this certificate.

After you install the certificate, you must enable the certificate in the Certificate Trust Settings if your device has iOS 10.3 or higher:

  1. Select Settings > General > About.
  2. Select Certificate Trust Settings.
  3. In the Enable Full Trust for Root Certificates section, tap the slider for the certificate.
  4. Tap Continue.

Import a Certificate with an Android Device

The instructions to add a certificate to an Android device are different depending on the device manufacturer. These general rules apply:

  • You must have Android v4.3 or higher to add a certificate.
  • Android supports DER-encoded X.509 certificates. Certain devices require the certificates to be saved with a .crt or .cer file extension.

For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, go to Export a Certificate from Your Firebox and Convert Certificate Format.

If you have a copy of the certificate on your device as an email attachment or file download, some devices allow you to tap the certificate to import it to your device.

  1. Open the email application on your Android device.
  2. Open the email that contains the attached certificate.
  3. Tap the attached certificate.
    The Name the Certificate dialog box opens.
  4. Type a descriptive name for the certificate.
  5. Tap OK.

To import a certificate saved to the internal storage of an Android device:

  1. In your Android device settings, go to the security settings where certificates and credentials are stored.
  2. Import the certificate.

Related Topics

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)

HTTPS-Proxy: Content Inspection