Renew or Replace an Expired Third-Party Web Server Certificate

Applies To: Locally-managed Fireboxes

Use this procedure to renew an expired third‑party certificate used as the current web server certificate for:

  • Fireware Web UI
  • Authentication Portal
  • Access Portal web pages when configured to use the web server certificate
  • Mobile VPN with SSL client download page (Fireware v12.10.x and lower)

This procedure assumes that your replacement certificate is signed by the same CA with the same FQDN/subject as the original expired certificate. If you want to install a new certificate from a different CA or with different certificate details, use the procedure described in Import and Install a Third-Party Web Server Certificate to install the new certificate and select it as the new web server certificate.

To renew and replace an expired third-party web server certificate, you must follow these steps:

  1. Identify the current web server certificate
  2. Get the renewed third-party certificate
  3. Temporarily switch to the default Firebox web server certificate
  4. Delete the expired third‑party web server certificate
  5. Import the renewed third‑party certificate and certificate chain
  6. Configure the Renewed Certificate as the Firebox Web Server Certificate
  7. Verify the web server certificate installation

You can use Fireware Web UI or Firebox System Manager/Policy Manager to perform these tasks.

Identify the Current Web Server Certificate

To identify the current web server certificate:

  1. From Fireware Web UI, select System > Certificates, or in Firebox System Manager, select View > Certificates.

The current web server certificate is displayed with a * beside the status, such as "Signed*".

  1. To confirm the certificate details, select the certificate and click Details.

Verify the certificate expiration date and FQDN/subject.

The Firebox shows both locally generated and imported certificates in this list. Make sure you look specifically for third‑party certificates if multiple certificates exist.

Get the Renewed Third‑Party Certificate

To get a renewal third-party certificate to replace your expired certificate:

  1. Request a renewal from your CA with a certificate signing request (CSR) with the same FQDN/subject, such as firebox.example.com.

Create a new CSR with the same certificate details for the CA to sign and issue a renewed certificate and updated key pair.

For information on how to generate a CSR on the Firebox, go to Create a Certificate CSR.

  1. When the CA has signed the certificate, export or download the renewed certificate as a PKCS#12 (.p12/.pfx) file that contains:
    • The renewed certificate and certificate chain
    • The private key
    • Required intermediate CA certificates

Make sure you know the file path to the .p12/.pfx file, and the password for the file (if applicable) when you are ready to import the certificate later in this procedure.

If the CA does not issue PFX files, you must import certificates manually. For more information, go to Import the Renewed Third‑Party Certificate and Certificate Chain.

In Fireware v12.11 and higher, PFX certificate files must be generated with ciphers supported in OpenSSL v3.0.x or higher. For more information, go to Cannot import PFX certificate file in Fireware v12.11 and higher in the WatchGuard Knowledge Base.

Temporarily Switch to the Default Firebox Web Server Certificate

Before you delete the current web server certificate, you must make sure it is not in use. You can select the default Firebox web server certificate or another temporary certificate.

  1. In Fireware Web UI or Policy Manager, select System > Certificates.
  2. Select the Firebox Web Server Certificate tab.
  3. Select Default Certificate signed by Firebox or another temporary certificate.
  4. Click Save.
    Acknowledge the logout warning to continue.

The Firebox restarts the web server interface, and you are logged out of the Firebox. Any other Firebox web server connections are also disconnected.

  1. Log in to the Firebox again.

Delete the Expired Third‑Party Web Server Certificate

To delete the expired third-party web server certificate:

  1. In Fireware Web UI or Policy Manager, select System > Certificates.
  2. Select the Certificates tab.
  3. Locate the expired third‑party certificate.
  4. Select the certificate and click Delete.

You cannot delete the certificate currently in use as the Web Server Certificate. Make sure you select a temporary certificate to use such as the default Firebox web server certificate in the previous step.

Import the Renewed Third‑Party Certificate and Certificate Chain

To import the replacement third-party certificate and any other supporting certificates in the chain:

  1. In Fireware Web UI or Policy Manager, select System > Certificates.
  2. On the Certificates tab, click Import.
  3. Choose General Use for the certificate function.
  4. Select the certificate import type:
    • PFX file — Enter the password and select the .p12/.pfx file.
    • Base64 (PEM) — Import the root and intermediate CA certificates first, then import the web server certificate with its private key.
  5. Complete the import wizard.
  6. Verify the certificate shows the correct FQDN and expiration date.

For more information on how to import the web server certificate to your Firebox with Firebox System Manager, go to Manage Device Certificates (WSM).

For more information on how to import the web server certificate to your Firebox with Fireware Web UI, go to Manage Device Certificates (Web UI).

Configure the Renewed Certificate as the Firebox Web Server Certificate

  1. In Fireware Web UI or Policy Manager, select System > Certificates.
  2. Select the Firebox Web Server Certificate tab.
  3. Select Third party certificate.
  4. From the drop-down list, select the newly imported third‑party certificate.
  5. Click Save.
    Acknowledge the logout warning to continue.

The Firebox restarts the web server interface, and you are logged out of the Firebox. Any other Firebox web server connections are also disconnected.

Verify the Web Server Certificate Installation

  1. From a management workstation, log in to the Firebox using its FQDN (such as https://firebox.example.com).
  2. Confirm that:
    • No certificate warning appears (if the CA is trusted).
    • The certificate CN/SAN matches the FQDN.
    • The expiration date matches the renewed certificate.
    • The certificate chain validates to the correct CA.
    • Mobile VPN with SSL connections work. Clients are prompted to accept and install the new certificate.

In most web browsers, you can inspect the certificate by clicking a padlock icon in the web browser address or location bar.

Related Topics

About Certificates

Manage Device Certificates (WSM)

Manage Device Certificates (Web UI)

Manage Certificates in WatchGuard Cloud

About User Authentication

Configure the Web Server Certificate for Firebox Authentication in WatchGuard Cloud