Certificate Authority Management

Certificate Authority (CA) entries are managed from System > Cert Manager, on the CAs tab.

Certificate Authority Settings

When creating or editing a CA entry, the following options are available:

Trust Store

Controls whether or not this CA is added to the certificate trust store on the firewall. When added to the trust store, a CA will be considered valid for all certificate operations performed by the operating system. If the firewall must contact a server using a certificate issued by a private CA, this allows such certificates to be trusted by client programs such as LDAP authentication, SMTP notifications, URL table connections, and many others.

Randomize Serial

Controls whether or not the CA will randomize serial numbers when it signs certificates or if it will use a sequential serial number.

The current best practice is to randomize serial numbers so they are unpredictable. This also reduces the chances of generating two certificates with the same serial number in circumstances where the CA is moved between different hosts or signs certificates in multiple places.

Common Properties

See Certificate Properties which covers the remaining fields on the page.

When importing or editing an existing CA entry, the following options are available:

Certificate Data

The PEM-encoded certificate data for the CA.

Certificate data is typically contained in a file ending with .crt or .pem. It would be plain text, and enclosed in a block such as:

-----BEGIN CERTIFICATE-----
[A bunch of random-looking base64-encoded data]
-----END CERTIFICATE-----

The format varies slightly for ECDSA certificates.

Certificate Private Key

The PEM-encoded private key for the CA. If this is omitted, the CA cannot sign certificates or CRLs, but it can be used for other purposes. When empty, the CA is marked as “External”. They key can be filled in later to enable signing and to have the CA treated as “Internal”.

The key data is typically in a file ending in .key. It would be plain text data enclosed in a block such as:

-----BEGIN RSA PRIVATE KEY-----
[A bunch of random-looking base64-encoded data]
-----END RSA PRIVATE KEY-----

The format varies slightly for ECDSA keys.

Next Certificate Serial

The serial number of the next certificate, used when the CA is not set to randomize serial numbers.

It is essential that each certificate have a unique serial, or there will be problems later with certificate revocation. If the next serial is unknown, attempt to estimate how many certificates have been made from the CA, and then set the number high enough a collision would be unlikely.

Create a new Certificate Authority Entry

To create a new CA entry, start the process as follows:

  • Navigate to System > Cert Manager, CAs tab

  • Click Add to create a new a CA

  • Enter a Descriptive name for the CA

    This is used as a label for this CA throughout the GUI.

  • Select the Method that best suits how the CA will be generated

    Create an Internal Certificate Authority

    Creates a new root CA. Fill in the settings as described in Certificate Authority Settings.

    Import an Existing Certificate Authority

    Exports a CA certificate created on another host, with or without a private key. This can be useful in two ways: One, for CAs made using another system, and two, for CAs made by others that must be trusted.

    Fill in the settings as described in Certificate Authority Settings.

    Note

    If the CA has been signed by an intermediary and not directly by a root CA, then import each entry in the chain separately, starting with the root CA.

    Create an Intermediate Certificate Authority

    Creates a new intermediate CA, to be signed by another internal CA on this firewall.

    Pick an existing internal CA for the Signing Certificate Authority and fill in the remaining settings as described in Certificate Authority Settings.

If errors are reported, such as invalid characters or other input problems, they will be described on the screen. Correct the errors, and attempt to Save again.

Edit a Certificate Authority

To edit an existing CA:

  • Navigate to System > Cert Manager, CAs tab

  • Locate the CA entry in the list

  • Click the fa-pencil icon at the end of its row

The edit screen presented by the GUI allows editing the fields as if the CA were being imported.

For information on the fields on this screen, see Certificate Authority Settings. In most cases the purpose of this screen would be to add the CA to the trust store, correct the Serial of the CA if needed, or to add a key to an imported CA so it can be used to create and sign certificates and CRLs.

Export a Certificate Authority

To export a CA:

  • Navigate to System > Cert Manager, CAs tab

  • Locate the CA entry in the list

  • Click the fa-certificate icon at the end of its row to export the CA certificate.

    The file will download with the descriptive name of the CA as the file name, with the extension .crt.

  • Click the fa-key icon to export the private key for the CA if necessary

    The file will download with the descriptive name of the CA as the file name, with the extension .key.

    In most cases the private key for a CA would not be exported unless the CA is being moved to a new location or a backup is being made. When using the CA for a VPN or most other purposes, only export the certificate for the CA and do not export the key.

    Warning

    If the private key for a CA gets into the wrong hands, the other party could generate new certificates that would be considered valid against the CA.

Remove a Certificate Authority

To remove a CA, first it must be removed from active use.

  • Check areas that can use a CA, such as OpenVPN, IPsec, and packages.

    Note

    In most cases, the areas using a CA are noted in the In Use column of the CA list. This does not necessarily include all areas, especially if the CA is used by a package.

  • Remove entries utilizing the CA or select a different CA

  • Navigate to System > Cert Manager, CAs tab

  • Locate the CA entry in the list

  • Click fa-trash at the end of the row for the CA

    Note

    This icon will only be present if the CA is not in use.

  • Click OK on the confirmation dialog

Renew a Certificate Authority

To renew a CA entry:

  • Navigate to System > Cert Manager, CAs tab

  • Locate the CA entry in the list

  • Click fa-repeat at the end of the row for the CA

  • Follow the rest of the renewal procedure as described in Renew or Reissue a CA or Certificate