Import a Certificate on a Client Device

When you configure your Firebox or XTM device to use a certificate for HTTPS content inspection or authentication, you must import that certificate on each client in your network to prevent security warnings in their web browsers. You can perform this import on each individual client device, or use policies with Microsoft Active Directory to automatically install the certificate for all clients.

For HTTPS Proxy content inspection you can use the default Proxy Authority CA certificate on your device. If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate on your device that is signed by your organization's CA.

For more information on content inspection and certificates, see Use Certificates with HTTPS Proxy Content Inspection.

For instructions on how to export a certificate from your Firebox or XTM device, see Export a Certificate from Your Device.

When you export a certificate from your device, the certificate is saved in PEM format. For some certificate distribution methods, the preferred certificate format for import is the DER format. For information on how to convert certificate formats, see Convert Certificate Format.

Each client operating system and web browser have different methods to import certificates. Instructions for the most common operating system and web browsers are described in the next sections. For other operating systems and browsers, see the manufacturer's documentation.

Import a Certificate on Windows Clients with Internet Explorer

When you install a certificate in the Trusted Root Certification Authorities with Internet Explorer, this enables the entire system, including other programs or services that use the Windows certificate store, to use that certificate. For example, the Google Chrome browser for Windows and Windows Update will also use any installed certificates.

If the certificate is in DER format, you can format the file name with an extension of .der, .cer, or .crt. You can then distribute this certificate to users who can double-click the certificate file to start the Certificate Installer on their system.

To import a certificate with Internet Explorer manually:

  1. Select Internet Options.
  2. Select the Content tab.
  3. Click Certificates.
  4. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

Import a Certificate on Windows Clients with Active Directory Group Policy

You can also deploy certificates to your Windows client devices through a group policy object from your Active Directory server. This enables you to update all Windows clients on your domain automatically with the required certificates.

To add certificates to the Trusted Root Certification Authorities store for all clients in a domain, on your Active Directory server:

  1. Click Start, point to Administrative Tools, and then click Group Policy Management.
  2. In the console tree, double-click Group Policy Objects in the domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
  3. Right-click Default Domain Policy GPO, then click Edit.
  4. In the Group Policy Management Console (GPMC), go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
  5. Right-click the Trusted Root Certification Authorities store.
  6. Click Import and follow the steps in the Certificate Import Wizard to import the certificates.

For more information, see Use Policy to Distribute Certificates on the Microsoft TechNet web site.

Import a Certificate with Mozilla Firefox

To import a certificate with Mozilla Firefox:

  1. Select Options.
  2. Select the Advanced tab.
  3. Select the Certificates tab.
  4. Click View Certificates.
  5. Select the Authorities tab.
  6. Click Import.
  7. Browse to select the certificate file, then click Open.
  8. In the Downloading Certificate dialog box, select the Trust this CA to identify web sites check box.
  9. Click OK.
  10. Restart Firefox.

Import a Certificate with Mac OS X and Apple Safari

This process allows Safari and other programs or services that use the Mac OS X certificate store to get access to the certificate.

  1. Open the Keychain Access application.
  2. Select the Certificates category.
  3. Click + (the plus icon button) on the lower toolbar, then find and select the certificate.
  4. Select the System keychain, then click Open.

    Or, select the System keychain, then drag-and-drop the certificate file into the list.
  5. Right-click the certificate and select Get Info.

    A certificate information window appears.
  6. Expand the Trust category.
  7. In the When using this certificate drop-down list, select Always Trust.
  8. Close the certificate information window.
  9. Type your administrator password to confirm your changes.

Import a Certificate with an Apple iOS Device

To import a certificate with an Apple iOS device, such as an iPhone or iPad, you need to use a DER format certificate file. For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, see Import a Certificate on a Client Device and Convert Certificate Format.

The certificate file can be distributed to end users in several ways, such as email, website download, iOS configuration profile, or installation by the Simple Certificate Enrollment Protocol (SCEP).

If you receive a certificate file by email or website download, tap the certificate to add it to the device. For example, to add a certificate distributed by email:

  1. Open the Mail app.
  2. Open the email that contains the attached certificate.
  3. Tap the attached certificate.
    The Install Profile Dialog appears.
  4. Tap Install.

If a warning message appears, you may safely ignore it at this time and tap Install. This message appears if the iOS device does not trust the signing authority for this certificate.

Import a Certificate with an Android Device

The instructions to add a certificate to an Android device are different depending on the device manufacturer. These general rules apply:

For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, see Import a Certificate on a Client Device and Convert Certificate Format.

If you have a copy of the certificate on your device as an email attachment or file download, some devices allow you to tap the certificate to import it to your device.

  1. Open the email application on your Android device.
  2. Open the email that contains the attached certificate.
  3. Tap the attached certificate.
    The Name the Certificate dialog box appears.
  4. Type a descriptive name for the certificate.
  5. Tap OK.

To import a certificate saved to the internal storage of an Android device:

  1. In your Android device settings, go to the security settings where certificates and credentials are stored.
  2. Import the certificate.

See Also

Manage XTM Device Certificates

HTTPS-Proxy: Content Inspection

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base