Manage XTM Device Certificates
You can use Fireware XTM Web UI to see and manage your Firebox or XTM device certificates. This includes:
- See a list of the current device certificates and their properties
- Import a certificate
- Select a web server certificate for Firebox authentication
- Select a certificate to use with a Branch Office VPN or Mobile User VPN
You must use Firebox System Manager (FSM) to create certificate signing requests (CSRs), import certificate revocation lists (CRLs), remove certificates, or delete certificates.
For more information, see the WatchGuard System Manager help system.
See Current Certificates
To see the current list of certificates:
- Select System > Certificates.
The Certificates list appears, with all the certificates and certificate signing requests (CSRs).
The Certificates list includes:
- The status and type of the certificate.
- The algorithm used by the certificate.
- The subject name or identifier of the certificate.
By default, trusted CA certificates are not included in this list.
- To show all of the certificates from trusted CAs, select the Show Trusted CAs for Proxies check box.
- To hide the trusted CA certificates, clear the Show Trusted CAs for Proxies check box.
Import a Certificate from a File
You can import a certificate from the Windows clipboard or from a file on your local computer. Certificates must be in Base64 PEM encoded format or PFX file format.
Before you import a certificate to use with the proxy content inspection feature, you must import each previous certificate in the chain of trust of the type Other. Start with the root CA certificate and proceed to the end entity certificate, in that order.
To import a CA certificate for your Firebox or XTM device to use to validate other certificates when they are imported and create a chain of trust, make sure to select the IPSec, Web Server, Other category when you import the CA certificate and do not include the private key.
About PFX Files
A PFX certificate bundle contains all the required certificates and private key, and is uploaded as a single file.
To use a PFX bundle for HTTPS content inspection, you must have two PFX files:
- The first proxy authority PFX file must have the root CA certificate that issued the proxy authority certificate, and the proxy authority certificate with its private key.
- The second proxy server PFX file must have the proxy authority certificate, and the proxy server certificate with its private key.
For more information, see About Certificates, Use Certificates with HTTPS Proxy Content Inspection, and SMTP-Proxy: TLS Encryption.
To import a certificate file:
- Select System > Certificates.
The Certificates page appears.
- Click Import Certificate.
- From the Certificate Type drop-down list, select the Base64 (PEM) certificate or PFX file type.
- Select the option that matches the function of the certificate:
- Proxy Authority (for deep packet inspection) — Select this option if the certificate is for an proxy policy that manages web traffic requested by users on trusted or optional networks from a web server on an external network. A certificate you import for this purpose must be a CA certificate. Before you import the CA certificate used to re-encrypt traffic with a proxy, make sure the CA certificate used to sign this certificate was imported with the Other category.
- Proxy Server — Select this option if the certificate is for a proxy policy that manages web traffic requested by users on an external network from a web server protected by the XTM device. Before you import the CA certificate used to re-encrypt traffic from a web server, make sure the CA certificate used to sign this certificate was imported with the Other category .
- Trusted CA for Proxies — Select this option for a certificate used to trust traffic that is not re-encrypted by a proxy. For example, a root certificate or intermediate CA certificate used to sign the certificate of an external web server.
- IPSec, Web Server, Other — Select this option if:
- The certificate is for authentication, is a device IPSec certificate, or is a CA certificate.
- You want to import a CA certificate for your XTM device to use to validate other certificates when they are imported and create a chain of trust. Make sure you do not include the private key when you import the CA certificate.
- If you selected Base64 (PEM) certificate as the Certificate Type, you can load the certificate from a file, or copy and paste the PEM certificate contents in the text box. If the certificate includes a private key, type the password to decrypt the key.
If you selected PFX file as the Certificate Type, type the PFX File Password, and click Browse to select the PFX file to upload.
- Click Save.
The certificate is added to the XTM device.
Use a Web Server Certificate for Authentication
To use a third-party certificate for authentication, you must first import that certificate. See the previous procedure for more information. If you use a custom certificate signed by the XTM device, we recommend that you export the certificate and then import it on each client device that connects to the XTM device.
- Select Authentication > Web Server Certificate.
The Authentication Web Server Certificate page appears.
- To use a previously imported third-party certificate, select Third party certificates and select the certificate from the drop-down list.
Click Save and do not complete the other steps in this procedure.
- To create a new certificate for XTM device authentication, select Custom certificate signed by Firebox.
- In the text box at the bottom of the dialog box, type the domain name or IP address of an interface on your XTM device. Click Add.
When you have added all the domain names, click OK.
- Type the Common name for your organization. This is usually your domain name.
Or, you can also type an Organization name and an Organization unit name (both optional) to identify what part of your organization created the certificate.
- Click Save.
Certificates for Mobile VPN With IPSec Tunnel Authentication
Certificates for Branch Office VPN (BOVPN) Tunnel Authentication