User Guide 61
Managing the Certificate Authority
Management Server CA Certificate
Print a copy of the Management Server CA certificate to the screen. You can then manually save
it to the client. You can use this for client access to the authentication Web page.
Generate a New Certificate
Type a subject common name, organizational unit, password, and certificate lifetime to make a
- For MUVPN users, the common name must agree with the user name of the remote user.
- For Firebox® users, the common name must agree with the Firebox identifying information
(normally, its IP address).
- For a generic certificate, the common name is the name of the user.
Type the organizational unit only if you make certificates for MUVPN users. Do not use this for other
types of VPN tunnels. The unit name must appear in this format:
GW:<vpn gateway name>
where <vpn gateway name> is the value of config.watchguard.id in the configuration file of the
Find and Manage Certificates
Give the serial number, common name, or organizational unit of a certificate to find in the
database. Also, as an alternative to a special certificate, you can make sure that only active,
revoked, or expired certificates are found. The results of the search show on the List Certificates
List and Manage Certificates
See a list of certificates that are in the database. Select the certificates to publish, revoke, put
back, or remove. For information about how to manage certificates, see the section that follows.
Upload Certificate Request
Use this page to sign a certificate request from a different device. Type in the common name and
organizational unit of the subject and select browse to find the CSR (Certificate Signing Request)
Publish a Certificate Revocation List (CRL)
Make the CA publish the CRL to all clients with current certificates. A Managed Firebox client
cannot create a VPN tunnel if it uses a certificate that is on the CRL to authenticate.
Managing certificates with the CA Manager
You use the List and Manage Certificates page to publish, revoke, put back, or remove certificates:
1From the List and Manage Certificates page, select the serial number of the certificate to change.
The certificate data appears.
2From the Choose Action drop-down list, select one of the subsequent alternatives and then select
Publishes the certificate in Privacy Enhanced Mail (PEM) format, which uses a protocol for safe
Internet e-mail. This lets you save the certificate to a record and upload it to a third-party unit.
Publishes the certificate in PKCS12 format. Most Web browsers use this format. This lets you save
the certificate to a record and upload it to a third-party unit.