When you configure your Firebox or XTM device to use a certificate for HTTPS content inspection or authentication, you must import that certificate on each client in your network to prevent security warnings in their web browsers. You can perform this import on each individual client device, or use policies with Microsoft Active Directory to automatically install the certificate for all clients.
For HTTPS Proxy content inspection you can use the default Proxy Authority CA certificate on your device. If your organization already has a PKI (Public Key Infrastructure) set up with a trusted CA, you can import a certificate on your device that is signed by your organization's CA.
For more information on content inspection and certificates, see Use Certificates with HTTPS Proxy Content Inspection.
For instructions on how to export a certificate from your Firebox or XTM device, see Export a Certificate from Your Device.
When you export a certificate from your device, the certificate is saved in PEM format. For some certificate distribution methods, the preferred certificate format for import is the DER format. For information on how to convert certificate formats, see Convert Certificate Format.
Each client operating system and web browser have different methods to import certificates. Instructions for the most common operating system and web browsers are described in the next sections. For other operating systems and browsers, see the manufacturer's documentation.
When you install a certificate in the Trusted Root Certification Authorities with Internet Explorer, this enables the entire system, including other programs or services that use the Windows certificate store, to use that certificate. For example, the Google Chrome browser for Windows and Windows Update will also use any installed certificates.
If the certificate is in DER format, you can format the file name with an extension of .der, .cer, or .crt. You can then distribute this certificate to users who can double-click the certificate file to start the Certificate Installer on their system.
To import a certificate with Internet Explorer manually:
You can also deploy certificates to your Windows client devices through a group policy object from your Active Directory server. This enables you to update all Windows clients on your domain automatically with the required certificates.
To add certificates to the Trusted Root Certification Authorities store for all clients in a domain, on your Active Directory server:
For more information, see Use Policy to Distribute Certificates on the Microsoft TechNet web site.
To import a certificate with Mozilla Firefox:
This process allows Safari and other programs or services that use the Mac OS X certificate store to get access to the certificate.
To import a certificate with an Apple iOS device, such as an iPhone or iPad, you need to use a DER format certificate file. For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, see Import a Certificate on a Client Device and Convert Certificate Format.
The certificate file can be distributed to end users in several ways, such as email, website download, iOS configuration profile, or installation by the Simple Certificate Enrollment Protocol (SCEP).
If you receive a certificate file by email or website download, tap the certificate to add it to the device. For example, to add a certificate distributed by email:
If a warning message appears, you may safely ignore it at this time and tap Install. This message appears if the iOS device does not trust the signing authority for this certificate.
The instructions to add a certificate to an Android device are different depending on the device manufacturer. These general rules apply:
For information on how to export a PEM format certificate from Firebox System Manager and convert it to DER format, see Import a Certificate on a Client Device and Convert Certificate Format.
If you have a copy of the certificate on your device as an email attachment or file download, some devices allow you to tap the certificate to import it to your device.
To import a certificate saved to the internal storage of an Android device:
Manage XTM Device Certificates
HTTPS-Proxy: Content Inspection