Configure the Certificate Authority on the Management Server
You can configure the certificate authority (CA) on the Management Server. However, administrators do not usually change the properties of the CA certificate.
From WatchGuard Server Center on your management computer:
- From the Servers tree, select Management Server.
The Management Server pages appear. - Select the Certificates tab.
- Configure the certificates settings, as described in the next sections.
- To set the diagnostic log level to Debug for all log messages from the Certificate Authority, select the Set the log level for Certificate Authority log messages to Debug check box.
To configure additional logging settings for the Management Server, select the Logging tab. For more information, go to Configure Logging Settings for the Management Server. - Click Apply to save your changes.
Set Properties for the Certificate Authority
In the Certificate Authority section:
- In the Common Name text box, type the name you want to appear in the CA certificate.
- In the Organization text box, type an organization name for the CA certificate.
- In the Certificate Lifetime text box, type the number of days after which the CA certificate will expire.
A longer certificate lifetime could give an attacker more time to attack it. - From the Key Bits drop-down list, select the strength to apply to the certificate. The higher the number of the Key Bits setting, the stronger the cryptography that protects the key.
Set Properties for Client Certificates
In the Client section:
- In the Certificate Lifetime text box, type the number of days after which the client certificate expires.
A longer certificate lifetime could give an attacker more time to attack it. - From the Key Bits drop-down list, select the strength to apply to the certificate.
The higher the number of the Key Bits setting, the stronger the cryptography that protects the key.
Set Properties for the Certificate Revocation List (CRL)
You can add and delete the IP addresses to use as the distribution IP address for the Certificate Revocation List.
The Firebox uses the IP addresses in the listed order. If an IP address does not respond, the Firebox tries the next address in the list until it finds an address that responds to the request. You can change the order that the IP addresses appear in the list.
By default, the distribution IP address is the address of the gateway Firebox. This is also the IP address the remote managed Fireboxes use to connect to the Management Server. If the external IP address of your gateway Firebox changes, you must change this value.
If you have remote Fireboxes that are behind a third-party NAT gateway device, and you use Management Tunnels over SSL to connect to those devices, make sure that the private IP address for your Management Server is the first IP address included in the Distribution IP Address list.
For more information about Management Tunnels, go to About Management Tunnels.
You can also set the publication interval to specify how often the CRL is published. This is the period after which the CRL is automatically published. The default setting is zero (0), which means that the CRL is published every 720 hours (30 days). The CRL is also updated after a certificate is revoked.
In the Certificate Revocation List section:
- To add a new address to the Distribution IP Address list, click Add.
The CRL IP Address dialog box appears.
- In the IP Address text box, type the IP address to use for the CRL distribution list.
- Click OK.
The IP address you added appears in the Distribution IP Address list. - To change the order of the IP addresses in the Distribution IP Address list, select an IP address and click Up or Down.
- To delete an IP address from the Distribution IP Address list, select the IP address and click Remove.
- In the Publication Interval text box, type the number of hours before the CRL is automatically published.
Configure Settings for the Management Server