When users connect to your Firebox with a web browser, they often see a security warning. This warning occurs because the default web server certificate is not trusted, or because the certificate does not match the IP address or domain name used for authentication. You can replace the default web server certificate with a signed CA certificate that will be automatically trusted by web browsers.
If you use a signed CA certificate, you must import this certificate to your Firebox before you can select it as the current web server certificate. In most cases, this certificate signed by a Certificate Authority (CA) requires one or more root and intermediate certificates to complete the chain of trust for the current certificate. These certificates must be imported to your Firebox in the correct order before you install the new web server certificate so that the chain of trust is established.
To import and install a new web server certificate, you must follow these steps:
- Create a Certificate Signing Request (CSR) for a new Web Server certificate.
- Have the CSR signed by a trusted Certificate Authority.
- Import the CA certificates required for the chain of trust for your signed certificate to your Firebox.
- Import the new signed web server certificate to the Firebox.
- Configure the Firebox to use the new web server certificate.
If you create a certificate with third-party software such as OpenSSL, the EKU field in the certificate must be populated with the values for TLS Web Server Authentication and TLS Web Client Authentication. These values are required for any web server certificates imported on the Firebox. A CSR generated on the Firebox automatically includes these EKU values.
Create a CSR
To create a self-signed certificate, you add part of a cryptographic key pair in a certificate signing request (CSR) and send the request to a CA. The CA issues a certificate after the CA receives the CSR and verifies your identity.
We recommend that you use third-party software to generate the CSR. This allows the certificate to be used on another Firebox if you upgrade to a newer model, migrate to another Firebox, or return the Firebox for an RMA replacement.
To create a certificate signing request, see Create a Certificate CSR .
Have the CSR signed by a Trusted CA
A certificate authority (CA) signs and issues certificates. These CA-signed certificates are automatically trusted by client web browsers because they originate from a trusted source.
After the CSR is created, you must send the CSR to a Trusted CA for signing. When you receive the signed web server certificate for your Firebox, you must first import the CA certificate chain to your Firebox to establish trust, then import your Firebox Web Server certificate.
Import the CA Certificates to your Firebox
You must import the CA certificates required for the chain of trust for your new signed Web Server certificate to your Firebox.
First, you must download the CA certificate chain that was used to sign your new Web Server certificate. This usually includes a root certificate and one or more intermediate certificates. Your Certificate Authority might have multiple options to download their CA certificates, including individual Base-64 encoded PEM files and PFX certificate file bundles.
When you import these certificates to your Firebox, they must be imported in the correct order to establish the certificate chain of trust. Read the instructions from your Certificate Authority carefully for the certificates you require. Import the Root CA certificate first, then install any intermediate certificates.
Import these certificates as the General Use certificate type.
To import certificates with Firebox System Manager, see Manage Device Certificates (WSM).
To import certificates with Fireware Web UI, see Manage Device Certificates (Web UI).
Import the New Signed Web Server Certificate to your Firebox
After you have imported the CA certificates, you can import the new signed Web Server certificate to your Firebox.
To import the Web Server certificate to your Firebox with Firebox System Manager, see Manage Device Certificates (WSM).
To import the Web Server certificate to your Firebox with Fireware Web UI, see Manage Device Certificates (Web UI).
Import this certificate with the General Use certificate type.
If the import is successful, you can select this new imported certificate as the Web Server certificate for your Firebox.
Enable the New Web Server Certificate
To select a new Web Server certificate, see Configure the Web Server Certificate for Firebox Authentication.
Make sure you use the Third party certificate option and select the new signed Web Server certificate.
To verify that your Firebox properly responds with the new certificate, go to https://[Firebox IP address or name]/sslvpn.html