Manage Certificates on the Management Server

To view and complete all the management tasks for the certificates on your Management Server, you can use the WatchGuard WebCenter tool, CA Manager. To only view or delete certificates on the Management Server, you can also use the Certificate Maintenance tool in WatchGuard System Manager.

Connect to CA Manager

You can either launch CA Manager from WatchGuard System Manager, or connect to CA Manager directly in your web browser.

To connect to CA Manager from WSM:

Open WatchGuard System Manager and connect to your Management Server.
You must type the configuration passphrase to connect.
Select the Device Management tab.
Click .
Or, select Tools > CA Manager.

To connect to CA Manager from a web browser:

Open a web browser and go to https://<IP address of your Management Server>:4130.
The WatchGuard WebCenter login page opens.
Type your user credentials and click Login.
WatchGuard WebCenter appears.
In the left navigation menu, select an option from the CA MANAGER section.

After you have connected to CA Manager, you can view, generate, revoke, reinstate, destroy, upload, and publish certificates for your Management Server and managed devices.

Manage Current Certificates

From CA Manager, you can search for the certificates on you Management Server by serial number, common name, or organizational unit. You can revoke, reinstate, or destroy any certificate in the list. When you revoke a certificate, it is added to the Certificate Revocation List (CRL) and cannot be used for authentication. When you reinstate a certificate, it is removed from the CRL and can be used again. When you remove or destroy a certificate, it is not added to the CRL, but it cannot be used for authentication. The CRL is published to each Firebox when the Firebox connects to the Management Server.

To manage the current certificates for your Fireboxes and Management Server:

Select CA MANAGER > Manage.
The Manage page opens, with a list of all the devices for which the Management Server has stored certificates.

Screen shot of the CA Manager Manage page

Follow the instructions in the next sections to manage your certificates.

Filter the Certificates List

You can filter the list of certificates that appears on the Manage page to find a specific certificate in the list.

To filter the list of certificates:

From the left filter drop-down list, select an option to filter on:
- Serial Number
- Common Name
- Org Unit
In the filter text box, type the text that corresponds to the filter option you selected.
For example, if you selected Serial Number, type the serial number that appears in the Serial column for the certificate you want to find.
From the Filter drop-down list, select an option:
- All
- Valid Only
- Revoked Only
- Expired Only
Click Search.
The certificates list is updated to only include certificates that match the parameters you specified.

Change the Certificate Status

The certificate list includes the status of each certificate managed by your Management Server CA. From the Manage page, you can revoke, reinstate, or destroy any certificate in the list. For example, if you have several certificates that were revoked that you want to reinstate, you can select each of those certificates and change the status for all of the selected certificates at the same time.

To change the status of one or more certificates from the certificate list:

Select the check box adjacent to each certificate.
From the Action drop-down list, select an action:
- Revoke
- Reinstate
- Destroy

When you are finished, the new certificate status appears in the Status column.

You can also change the status of the certificate when you view the full certificate data.

From the certificate list:

Double-click the number in the Serial column for the certificate.
The View Certificate Data dialog box opens.
Click the button for the action to complete:
- Revoke
- Reinstate
- Destroy

View Certificates

From CA Manager, you can review the certificate details for the Certificate Authority and Management Server CA certificates. For the other certificates managed by your Management Server, you can also see the full certificate details, which includes the signature algorithm, issuer, and public key information.

To see the Certificate Authority (root) certificate and the Management Server CA certificates:

From the CA MANAGER section, select View.
The View page appears with the text of the CA Certificate and Management Server CA Certificate.

Screen shot of the CA Manager View page

To save the contents of either certificate, select the certificate text and copy it to a file on your computer.

To view the full data of a certificate:

From the CA MANAGER section, select Manage.
The Manage page appears.
In the Serial column for the certificate, double-click the serial number.
The View Certificate Data dialog box appears.

Screen shot of the View Certificate Data dialog box

Create a New Certificate Request

To create a new certificate signing request (CSR):

From the CA MANAGER section, select Generate.
The Generate a New Certificate page opens.

Screen shot of the Generate a New Certificate page

Type the common name, password, and certificate lifetime for the subject.
- For Firebox Authentication users, the common name must match the identification information for the Firebox (usually, the Firebox IP address).
- For a generic certificate, the common name is the name of the user.
To download the certificate after it is generated, select the Download Cert check box.
Click Generate.

When you use Firebox System Manager to create a certificate signing request, your Firebox also creates a private key. It is not possible to export this private key from your device. If you want to use the server certificate for a different device, you will need this private key to import the certificate. For an alternative method to create a certificate signing request and private key, go to Create a CSR with OpenSSL.

For more information about how to create certificates, go to Create a Certificate CSR .

Sign a Certificate Request

You can also use CA manager to sign a certificate request from a different device. Make sure you have the common name and the organizational unit for the certificate before you proceed.

To sign a certificate request:

From the CA Manager section, select Upload.
The Upload page opens.

Screen shot of the WatchGuard WebCenter Upload page

Type the Common Name and the Organizational Unit for the certificate.
Click Browse to find the CSR (Certificate Signing Request) file.
Click Upload.

Publish the Certificate Revocation List

From CA Manager, you can make the CRL (Certificate Revocation List) available to each Firebox that is connected to your Management Server.

From the CA Manager section, select Publish.
The Publish page opens.
Click Publish.

When a managed Firebox next attempts to validate the certificate, the certificate is disabled. If a revoked certificate was used for VPN authentication, the VPN tunnel is disabled.

Manage Certificates From WatchGuard System Manager

To see certificates used by the Management Server and delete those that are no longer needed:

Open WatchGuard System Manager and connect to the Management Server.
You must type the configuration passphrase to connect.
Select File > Certificates.
The Certificate Maintenance dialog box appears with a list of the certificates used by the Management Server.

Screen shot of the Certificate Maintenance dialog box

To delete a certificate, select it and click Remove.
If the certificate is currently used by the Management Server, you must first disconnect from the server before you delete the certificate.
Click OK.

When you delete a Management Server certificate, you do not delete certificates in Microsoft Internet Explorer.