Renewing the SSL Certificate on a WatchGuard Firewall v10.2
My employer has a WatchGuard firewall. It is fairly stalwart and works for our business application. This week I needed to renew the SSL certificate and so I thought I would go over that process in case someone else could gain from my experience. The initial steps are the most arduous so I felt the need to give those more attention.
The first step in this process is to generate a Certificate Signing Request, in order to submit it to your Certificate Authority, which in my case is GeoTrust. I did this using OpenSSL which comes on most newer distributions of Linux, in my case Ubuntu. Here are the steps from WatchGuard’s support pages:
” You can use OpenSSL to convert certificates and certificate signing requests from one format to another. For more information, see the OpenSSL man page or online documentation.
- Open a command line interface terminal.
openssl genrsa -out privkey.pem 1024 to generate a private key file called privkey.pem in your current working directory.
openssl req -new -key privkey.pem -out request.csr This command generates a CSR in the PEM format in your current working directory.
- When you are prompted for the x509 Common Name attribute information, type your fully-qualified domain name (FQDN). Use other information as appropriate.
- Follow the instructions from your certificate authority to send the CSR.
To create a temporary, self-signed certificate until the CA returns your signed certificate, type at the command line:
openssl x509 -req -days 30 -in request.csr -key privkey.pem -out sscert.cert
This command creates a certificate inside your current directory that expires in 30 days. “
These instructions followed exactly will generate a key with a length of 1024. I believe most newer security standards and firewalls will advise you to utilize a key with a length of 2048.
Once the CSR is created you will need to give it to the CA so they can process it and give you a certificate. You ask, How do I do that? Well, I’m sure it is a bit different for each CA. I did mine by cutting and pasting the actual CSR into the window on the Geotrust page. The figure at the beginning of this post illustrates this process and also shows you an example of a generated CSR.
After submitting the request to your CA, provided the CSR was accepted and contained the correct information, you will receive your certificate along with an intermediate certificate that must be installed on the Firebox. The certificates came at the bottom of email from GeoTrust shortly after the submission. They were in the actual body of the email.
The easiest way I found to import them into the Firebox System Manager was to take each certificate and make an actual certificate file. This was accomplished by right-clicking on the desktop of the server, create new text file, pasting the certificate from the email into the text file, and saving it with a CER extension so that the icon changes to appear like a small picture of a certificate. I did this with the actual certificate and the intermediate certificate that GeoTrust sent me.
After this, I opened the Firebox System Manager, clicked on the Certificates button, clicked the Import Certificate button, and choose the new certificate and clicked import. Repeat this step for the intermediate and the Root CA Certificate, and viola, it is done. You can verify by looking at the list of certificates loaded into the WatchGuard, making sure that the applicable certificates are loaded, from where, when they expire, etc.
For myself, this is a process that I do not do very often and always takes some brushing up for me. If anyone has comments, corrections, updates, or suggestions I am always open to them :) Thanks for reading.