About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...

Certificates and the Certificate Authority > About Certificates

About Certificates

Certificates match the identity of a person or organization with a method for others to verify that identity and
secure communications. They use an encryption method called a key pair, or two mathematically related
numbers called the private key and the public key. A certificate includes both a statement of identity and a
public key, and is signed by a private key.

The private key used to sign a certificate can be from the same key pair used to generate the certificate, or
from a different key pair. If the private key is from the same key pair used to create the certificate, the result
is called a self-signed certificate. If the private key is from a different key pair, the result is a regular
certificate. Certificates with private keys that can be used to sign other certificates are called CA (Certificate
Authority) Certificates. A certificate authority is an organization or application that signs and revokes
certificates.

If your organization has a PKI (public key infrastructure) set up, you can sign certificates as a CA yourself.
Most applications and devices automatically accept certificates from prominent, trusted CAs. Certificates that
are not signed by prominent CAs, such as self-signed certificates, are not automatically accepted by many
servers or programs, and do not operate correctly with some Fireware XTM features.

1 de 4 08/07/2013 13:07
About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...

Use Multiple Certificates to Establish Trust

Several certificates can be used together to create a chain of trust. For example, the CA certificate at the
start of the chain is from a prominent CA, and is used to sign another CA certificate for a smaller CA. That
smaller CA can then sign another CA certificate used by your organization. Finally, your organization can use
this CA certificate to sign another certificate for use with the HTTPS proxy and SMTP proxy content inspection
features. However, to use that final certificate at the end of the chain of trust, you must first import all of the
certificates in the chain of trust in this order:

1. CA certificate from the prominent CA (as type Other) CA certificate from the smaller CA (as type
Other)
2. CA certificate from the organization (as type Other)
3. Certificate used to re-encrypt proxy content after inspection (as type Proxy Authority")

It could also be necessary to import all of these certificates on each client device so that the last certificate is
also trusted by users.

For more information, see Manage XTM Device Certificates.

How the XTM Device Uses Certificates

Your XTM device can use certificates for several purposes:

Management session data is secured with a certificate.

Branch Office VPN, Mobile VPN with IPSec, and Mobile VPN with L2TP tunnels can use certificates for
authentication.
When content inspection is enabled, the some proxies use a certificate to re-encrypt incoming traffic
after it is decrypted for inspection.
You can use a certificate with the proxy to protect a web server on your network.
When a user authenticates with the XTM device for any purpose, such as a WebBlocker override, the
connection is secured with a certificate.
When RADIUS or Firebox authentication is configured to use WPA Enterprise or WPA2 Enterprise
authentication methods.

By default, your XTM device creates self-signed certificates to secure management session data and
authentication attempts for Fireware XTM Web UI and for proxy content inspection. To make sure the
certificate used for content inspection is unique, its name includes the serial number of your device and the
time at which the certificate was created. Because these certificates are not signed by a trusted CA, users on
your network see warnings in their web browsers.

You have three options to remove this warning:

1. You can import certificates that are signed by a CA your organization trusts, such as a PKI you have
already set up for your organization, for use with these features. We recommend that you use this
option if possible.
2. You can create a custom, self-signed certificate that matches the name and location of your
organization.
3. You can use the default, self-signed certificate.

For the second and third options, you can ask network clients to accept these self-signed certificates manually
when they connect to the XTM device. Or, you can export the certificates and distribute them with network
management tools. You must have WatchGuard System Manager installed to export certificates.

Certificate Lifetimes and CRLs

Each certificate has a set lifetime when it is created. When the certificate reaches the end of that set lifetime,
the certificate expires and can no longer be used automatically. You can also remove certificates manually with

2 de 4 08/07/2013 13:07
About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...

Firebox System Manager (FSM).

Sometimes, certificates are revoked, or disabled before their lifetime expiration, by the CA. Your XTM device
keeps a current list of these revoked certificates, called the Certificate Revocation List (CRL), to verify that
certificates used for VPN authentication are valid. If you have WatchGuard System Manager installed, this list
can be updated manually with Firebox System Manager (FSM), or automatically with information from a
certificate. Each certificate includes a unique number used to identify the certificate. If the unique number on a
Web Server, BOVPN, Mobile VPN with IPSec, or Mobile VPN with L2TP certificate matches an identifier from
its associated CRL, the XTM device disables the certificate.

When content inspection is enabled on a proxy, the XTM device can check the OCSP (Online Certificate
Status Protocol) responder associated with the certificates used to sign the content. The OCSP responder
sends the revocation status of the certificate. The XTM device accepts the OCSP response if the response is
signed by a certificate the XTM device trusts. If the OCSP response is not signed by a certificate the XTM
device trusts, or if the OCSP responder does not send a response, then you can configure the XTM device to
accept or reject the original certificate.

For more information about OCSP options, see HTTPS-Proxy: Content Inspection.

Certificate Authorities and Signing Requests

To create a self-signed certificate, you put part of a cryptographic key pair in a certificate signing request
(CSR) and send the request to a CA. It is important that you use a new key pair for each CSR you create.
The CA issues a certificate after they receive the CSR and verify your identity. If you have FSM or
Management Server software installed, you can use these programs to create a CSR for your XTM device.
You can also use other tools, such as OpenSSL or the Microsoft CA Server that comes with most Windows
Server operating systems.

To create a certificate for use with the HTTPS-proxy and SMTP-proxy content inspection features, you must
create a CA certificate that can re-sign other certificates. If you create a CSR with Firebox System Manager
and have it signed by a prominent CA, it cannot be used as a CA certificate.

If you do not have a PKI set up in your organization, we recommend that you choose a prominent CA to sign
the CSRs you use, except for the proxy CA certificate. If a prominent CA signs your certificates, your
certificates are automatically trusted by most users. WatchGuard has tested certificates signed by VeriSign,
Microsoft CA Server, Entrust, and RSA KEON. You can also import additional certificates so that your XTM
device trusts other CAs.

For a complete list of automatically trusted CAs, see Certificate Authorities Trusted by the XTM Device.

In WatchGuard System Manager, the Management Server also operates as a CA. The CA gives certificates
to managed XTM devices when they contact the Management Server to receive configuration updates.

For more information, see Configure the Certificate Authority on the Management Server.

See Also

Create a Certificate with FSM or the Management Server

Create a CSR with OpenSSL

Import a Certificate on a Client Device

Use Certificates for the HTTPS-Proxy

SMTP-Proxy: TLS Encryption

Certificates for Branch Office VPN (BOVPN) Tunnel Authentication

Certificates for Mobile VPN with IPSec Tunnel Authentication

3 de 4 08/07/2013 13:07
About Certificates http://www.watchguard.com/help/docs/wsm/11_XTM/en-US/Content/e...

Manage XTM Device Certificates

Manage Certificates on the Management Server

Give Us Feedback • Get Support • All Product Documentation • Knowledge Base

© 2013 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered
trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.

4 de 4 08/07/2013 13:07