User Guide 59
CHAPTER 7 Managing Certificates and the
When you create a VPN tunnel, you can select from two types of tunnel authentication: shared secrets or
certificates. A certificate is an electronic document that contains a public key. The public key verifies that
the certificate is legitimate. A Certificate Authority (CA) is a trusted third-party that gives certificates to
clients. In WatchGuard® System Manager, the workstation that is configured as the Management Server
also operates as a CA. The CA on the Management Server can give certificates to managed Firebox clients
when the Management Server creates VPN tunnels.
Certificate Authorities are a component of a system of key creation, key management and certification
with the name Public Key Infrastructure (PKI). The PKI supplies certificate and directory services that can
create, supply, keep, and when necessary revoke the certificates.
Certificates usually give more security than shared secrets during the authentication procedure.
Public Key Cryptography and Digital Certificates
Public key cryptography is a central component of a PKI. This cryptographic system includes two mathe-
matically related keys, known as an asymmetric key pair. The user keeps one key, the private key, secret.
The user can supply the other key, known as the public key, to other users.
The keys in the key pair go together. Only the owner of the private key can decrypt data encrypted with
the public key. Any person with the public key can decrypt data encrypted with the private key.
Certificates are used to make sure public keys are valid. Certificates contain a digital signature created
with the public key of a CA certificate. The validity of a certificate can be verified by looking at its digital
Certificates have a lifetime that is set when they are created. But certificates are occasionally revoked
before the end date and time that was set for their lifetime. The CA keeps an online, current list of
revoked certificates. This list is the certificate revocation list (CRL).
PKI in a WatchGuard VPN
To authenticate VPN tunnels with certificates, you must first configure a Management Server. When you
configure the Management Server, the CA is automatically activated. Each managed Firebox client