Manage XTM Device Certificates

You can use Fireware XTM Web UI to see and manage your Firebox or XTM device certificates. This includes:

You must use Firebox System Manager (FSM) to create certificate signing requests (CSRs), import certificate revocation lists (CRLs), remove certificates, or delete certificates.
For more information, see the WatchGuard System Manager help system.

See Current Certificates

To see the current list of certificates:

  1. Select System > Certificates.
    The Certificates list appears, with all the certificates and certificate signing requests (CSRs).

The Certificates list includes:

By default, trusted CA certificates are not included in this list.

  1. To show all of the certificates from trusted CAs, select the Show Trusted CAs for Proxies check box.
  2. To hide the trusted CA certificates, clear the Show Trusted CAs for Proxies check box.

Import a Certificate from a File

You can import a certificate from the Windows clipboard or from a file on your local computer. Certificates must be in Base64 PEM encoded format or PFX file format.

Before you import a certificate to use with the proxy content inspection feature, you must import each previous certificate in the chain of trust of the type Other. Start with the root CA certificate and proceed to the end entity certificate, in that order.

To import a CA certificate for your Firebox or XTM device to use to validate other certificates when they are imported and create a chain of trust, make sure to select the IPSec, Web Server, Other category when you import the CA certificate and do not include the private key.

About PFX Files

A PFX certificate bundle contains all the required certificates and private key, and is uploaded as a single file.

To use a PFX bundle for HTTPS content inspection, you must have two PFX files:

  1. The first proxy authority PFX file must have the root CA certificate that issued the proxy authority certificate, and the proxy authority certificate with its private key.
  2. The second proxy server PFX file must have the proxy authority certificate, and the proxy server certificate with its private key.

For more information, see About Certificates, Use Certificates with HTTPS Proxy Content Inspection, and SMTP-Proxy: TLS Encryption.

Import Certificate

To import a certificate file:

  1. Select System > Certificates.
    The Certificates page appears.
  2. Click Import Certificate.

Screen shot of the Certificates / Import page

  1. From the Certificate Type drop-down list, select the Base64 (PEM) certificate or PFX file type.
  2. Select the option that matches the function of the certificate:
  3. If you selected Base64 (PEM) certificate as the Certificate Type, you can load the certificate from a file, or copy and paste the PEM certificate contents in the text box. If the certificate includes a private key, type the password to decrypt the key.

If you selected PFX file as the Certificate Type, type the PFX File Password, and click Browse to select the PFX file to upload.

Screen shot of the Certificates / Import page with PFX File selection

  1. Click Save.
    The certificate is added to the XTM device.

Use a Web Server Certificate for Authentication

To use a third-party certificate for authentication, you must first import that certificate. See the previous procedure for more information. If you use a custom certificate signed by the XTM device, we recommend that you export the certificate and then import it on each client device that connects to the XTM device.

  1. Select Authentication > Web Server Certificate.
    The Authentication Web Server Certificate page appears.
  2. To use a previously imported third-party certificate, select Third party certificates and select the certificate from the drop-down list.
    Click Save and do not complete the other steps in this procedure.
  3. To create a new certificate for XTM device authentication, select Custom certificate signed by Firebox.
  4. In the text box at the bottom of the dialog box, type the domain name or IP address of an interface on your XTM device. Click Add.
    When you have added all the domain names, click OK.
  5. Type the Common name for your organization. This is usually your domain name.
    Or, you can also type an Organization name and an Organization unit name (both optional) to identify what part of your organization created the certificate.
  6. Click Save.

See Also

About Certificates

Certificates for Mobile VPN With IPSec Tunnel Authentication

Certificates for Branch Office VPN (BOVPN) Tunnel Authentication

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base