Import and Install a Third-Party Web Server Certificate

Applies To: Cloud-managed Fireboxes

When users connect to your Firebox with a web browser, they often see a security warning. This warning occurs because the default web server certificate is not trusted, or because the certificate is not the same IP address or domain name used by the Firebox for authentication. You can replace the default web server certificate with a certificate signed by a Certificate Authority (CA) that is automatically trusted by client web browsers.

If you use a signed CA certificate, you must add this certificate to your Firebox before you can select it as the current web server certificate. In most cases, this signed CA certificate requires one or more root and intermediate certificates to complete the chain of trust. You must add these certificates to your Firebox in the correct order before you install the new web server certificate so that the chain of trust is established.

To add and install a new web server certificate, you must follow these steps:

  1. Create a Certificate Signing Request (CSR) for a new Web Server certificate.
  2. Have the CSR signed by a trusted Certificate Authority.
  3. Add the CA certificates required for the chain of trust for your signed certificate to your Firebox.
  4. Add the new signed web server certificate to the Firebox.
  5. Configure the Firebox to use the new web server certificate.

If you create a certificate with third-party software such as OpenSSL, you must enter the values for TLS Web Server Authentication and TLS Web Client Authentication in the EKU text box. These values are required for any web server certificates imported to the Firebox. A CSR generated on the Firebox automatically includes these EKU values.

Create a CSR

To create a self-signed certificate, you add part of a cryptographic key pair in a certificate signing request (CSR) and send the request to a CA. The CA issues a certificate after the CA receives the CSR and verifies your identity.

We recommend that you use third-party software to generate the CSR. This allows the certificate to be used on another Firebox if you upgrade to a newer model, migrate to another Firebox, or return the Firebox for an RMA replacement.

To create a certificate signing request, see Create a Certificate Signing Request (CSR).

Have the CSR signed by a Trusted CA

A certificate authority (CA) signs and issues certificates. These CA-signed certificates are automatically trusted by client web browsers because they originate from a trusted source.

After you create the CSR, you must send the CSR to a Trusted CA for signing. When you receive the signed web server certificate for your Firebox, you must first add the CA certificate chain to your Firebox to establish trust, then add your Firebox Web Server certificate.

Add the CA Certificates to your Firebox

You must add the CA certificates required for the chain of trust for your new signed Web Server certificate to your Firebox.

  • Download the CA certificate chain that was used to sign your new Web Server certificate — The download package usually includes a root certificate and one or more intermediate certificates. Your Certificate Authority might have multiple options to download their CA certificates, including individual Base-64 encoded PEM files and PFX certificate file bundles.

  • Add these certificates to your Firebox in the correct order — To establish the certificate chain of trust, you must add the certificates in the correct order. Read the instructions from your Certificate Authority carefully for the certificates you require. Import the Root CA certificate first, then add any intermediate certificates.

To add certificates for your cloud-managed Firebox in WatchGuard Cloud, see Manage Certificates.

Add the New Signed Web Server Certificate to your Firebox

After you add the required CA certificates, you can add the new signed Web Server certificate to your Firebox.

To add the Web Server certificate to your Firebox in WatchGuard Cloud, see Configure the Web Server Certificate for Firebox Authentication.

If the import is successful, you can select this new certificate as the Web Server certificate for your Firebox.

Enable the New Web Server Certificate

To select a new Web Server certificate, see Configure the Web Server Certificate for Firebox Authentication.

Make sure you select the new signed Web Server certificate that you added to the Firebox.

To verify that your Firebox correctly responds with the new certificate, go to https://[Firebox IP address or name]/sslvpn.html

Related Topics

Configure the Web Server Certificate for Firebox Authentication

Manage Certificates