Professional Documents
Culture Documents
About Certificates: and The Certificate Authority About
About Certificates: and The Certificate Authority About
About Certificates
Certificates match the identity of a person or organization with a method for others to verify that identity and
secure communications. They use an encryption method called a key pair, or two mathematically related
numbers called the private key and the public key. A certificate includes both a statement of identity and a
public key, and is signed by a private key.
The private key used to sign a certificate can be from the same key pair used to generate the certificate, or
from a different key pair. If the private key is from the same key pair used to create the certificate, the result
is called a self-signed certificate. If the private key is from a different key pair, the result is a regular
certificate. Certificates with private keys that can be used to sign other certificates are called CA (Certificate
Authority) Certificates. A certificate authority is an organization or application that signs and revokes
certificates.
If your organization has a PKI (public key infrastructure) set up, you can sign certificates as a CA yourself.
Most applications and devices automatically accept certificates from prominent, trusted CAs. Certificates that
are not signed by prominent CAs, such as self-signed certificates, are not automatically accepted by many
servers or programs, and do not operate correctly with some Fireware XTM features.
1 de 4 08/07/2013 13:07
About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...
1. CA certificate from the prominent CA (as type Other) CA certificate from the smaller CA (as type
Other)
2. CA certificate from the organization (as type Other)
3. Certificate used to re-encrypt proxy content after inspection (as type Proxy Authority")
It could also be necessary to import all of these certificates on each client device so that the last certificate is
also trusted by users.
By default, your XTM device creates self-signed certificates to secure management session data and
authentication attempts for Fireware XTM Web UI and for proxy content inspection. To make sure the
certificate used for content inspection is unique, its name includes the serial number of your device and the
time at which the certificate was created. Because these certificates are not signed by a trusted CA, users on
your network see warnings in their web browsers.
1. You can import certificates that are signed by a CA your organization trusts, such as a PKI you have
already set up for your organization, for use with these features. We recommend that you use this
option if possible.
2. You can create a custom, self-signed certificate that matches the name and location of your
organization.
3. You can use the default, self-signed certificate.
For the second and third options, you can ask network clients to accept these self-signed certificates manually
when they connect to the XTM device. Or, you can export the certificates and distribute them with network
management tools. You must have WatchGuard System Manager installed to export certificates.
2 de 4 08/07/2013 13:07
About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...
Sometimes, certificates are revoked, or disabled before their lifetime expiration, by the CA. Your XTM device
keeps a current list of these revoked certificates, called the Certificate Revocation List (CRL), to verify that
certificates used for VPN authentication are valid. If you have WatchGuard System Manager installed, this list
can be updated manually with Firebox System Manager (FSM), or automatically with information from a
certificate. Each certificate includes a unique number used to identify the certificate. If the unique number on a
Web Server, BOVPN, Mobile VPN with IPSec, or Mobile VPN with L2TP certificate matches an identifier from
its associated CRL, the XTM device disables the certificate.
When content inspection is enabled on a proxy, the XTM device can check the OCSP (Online Certificate
Status Protocol) responder associated with the certificates used to sign the content. The OCSP responder
sends the revocation status of the certificate. The XTM device accepts the OCSP response if the response is
signed by a certificate the XTM device trusts. If the OCSP response is not signed by a certificate the XTM
device trusts, or if the OCSP responder does not send a response, then you can configure the XTM device to
accept or reject the original certificate.
For more information about OCSP options, see HTTPS-Proxy: Content Inspection.
To create a certificate for use with the HTTPS-proxy and SMTP-proxy content inspection features, you must
create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager
and have it signed by a prominent CA, it cannot be used as a CA certificate.
If you do not have a PKI set up in your organization, we recommend that you choose a prominent CA to sign
the CSRs you use, except for the proxy CA certificate. If a prominent CA signs your certificates, your
certificates are automatically trusted by most users. WatchGuard has tested certificates signed by VeriSign,
Microsoft CA Server, Entrust, and RSA KEON. You can also import additional certificates so that your XTM
device trusts other CAs.
For a complete list of automatically trusted CAs, see Certificate Authorities Trusted by the XTM Device.
In WatchGuard System Manager, the Management Server also operates as a CA. The CA gives certificates
to managed XTM devices when they contact the Management Server to receive configuration updates.
For more information, see Configure the Certificate Authority on the Management Server.
See Also
3 de 4 08/07/2013 13:07
About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...
4 de 4 08/07/2013 13:07