Certificate Authority Management¶
Certificate Authority (CA) entries are managed from System > Certificates, on the CAs tab.
See also
Certificate Authority Settings¶
When creating or editing a CA entry, the following options are available:
- Trust Store:
Controls whether or not this CA is added to the certificate trust store on the firewall. When added to the trust store, a CA will be considered valid for all certificate operations performed by the operating system. If the firewall must contact a server using a certificate issued by a private CA, this allows such certificates to be trusted by client programs such as LDAP authentication, SMTP notifications, URL table connections, and many others.
- Randomize Serial:
Controls whether or not the CA will randomize serial numbers when it signs certificates or if it will use a sequential serial number.
The current best practice is to randomize serial numbers so they are unpredictable. This also reduces the chances of generating two certificates with the same serial number in circumstances where the CA is moved between different hosts or signs certificates in multiple places.
- Common Properties:
See Certificate Properties which covers the remaining fields on the page.
When importing or editing an existing CA entry, the following options are available:
- Certificate Data:
The PEM-encoded certificate data for the CA.
Certificate data is typically contained in a file ending with
.crt
or.pem
. It would be plain text, and enclosed in a block such as:-----BEGIN CERTIFICATE----- [A bunch of random-looking base64-encoded data] -----END CERTIFICATE-----
The format varies slightly for ECDSA certificates.
- Certificate Private Key:
The PEM-encoded private key for the CA. If this is omitted, the CA cannot sign certificates or CRLs, but it can be used for other purposes. When empty, the CA is marked as “External”. They key can be filled in later to enable signing and to have the CA treated as “Internal”.
The key data is typically in a file ending in
.key
. It would be plain text data enclosed in a block such as:-----BEGIN RSA PRIVATE KEY----- [A bunch of random-looking base64-encoded data] -----END RSA PRIVATE KEY-----
The format varies slightly for ECDSA keys.
- Next Certificate Serial:
The serial number of the next certificate, used when the CA is not set to randomize serial numbers.
It is essential that each certificate have a unique serial, or there will be problems later with certificate revocation. If the next serial is unknown, attempt to estimate how many certificates have been made from the CA, and then set the number high enough a collision would be unlikely.
Create a new Certificate Authority Entry¶
To create a new CA entry, start the process as follows:
Navigate to System > Certificates, CAs tab
Click Add to create a new a CA
Enter a Descriptive name for the CA
This is used as a label for this CA throughout the GUI.
Select the Method that best suits how the CA will be generated
- Create an Internal Certificate Authority:
Creates a new root CA. Fill in the settings as described in Certificate Authority Settings.
- Import an Existing Certificate Authority:
Exports a CA certificate created on another host, with or without a private key. This can be useful in two ways: One, for CAs made using another system, and two, for CAs made by others that must be trusted.
Fill in the settings as described in Certificate Authority Settings.
Note
If the CA has been signed by an intermediary and not directly by a root CA, then import each entry in the chain separately, starting with the root CA.
- Create an Intermediate Certificate Authority:
Creates a new intermediate CA, to be signed by another internal CA on this firewall.
Pick an existing internal CA for the Signing Certificate Authority and fill in the remaining settings as described in Certificate Authority Settings.
If errors are reported, such as invalid characters or other input problems, they will be described on the screen. Correct the errors, and attempt to Save again.
Edit a Certificate Authority¶
To edit an existing CA:
Navigate to System > Certificates, CAs tab
Locate the CA entry in the list
Click the icon at the end of its row
The edit screen presented by the GUI allows editing the fields as if the CA were being imported.
For information on the fields on this screen, see Certificate Authority Settings. In most cases the purpose of this screen would be to add the CA to the trust store, correct the Serial of the CA if needed, or to add a key to an imported CA so it can be used to create and sign certificates and CRLs.
Export a Certificate Authority¶
To export a CA:
Navigate to System > Certificates, CAs tab
Locate the CA entry in the list
Click the icon at the end of its row to export the CA certificate.
The file will download with the descriptive name of the CA as the file name, with the extension
.crt
.Click the icon to export the private key for the CA if necessary
The file will download with the descriptive name of the CA as the file name, with the extension
.key
.In most cases the private key for a CA would not be exported unless the CA is being moved to a new location or a backup is being made. When using the CA for a VPN or most other purposes, only export the certificate for the CA and do not export the key.
Warning
If the private key for a CA gets into the wrong hands, the other party could generate new certificates that would be considered valid against the CA.
Remove a Certificate Authority¶
To remove a CA, first it must be removed from active use.
Check areas that can use a CA, such as OpenVPN, IPsec, and packages.
Note
In most cases, the areas using a CA are noted in the In Use column of the CA list. This does not necessarily include all areas, especially if the CA is used by a package.
Remove entries utilizing the CA or select a different CA
Navigate to System > Certificates, CAs tab
Locate the CA entry in the list
Click at the end of the row for the CA
Note
This icon will only be present if the CA is not in use.
Click OK on the confirmation dialog
Renew a Certificate Authority¶
To renew a CA entry:
Navigate to System > Certificates, CAs tab
Locate the CA entry in the list
Click at the end of the row for the CA
Follow the rest of the renewal procedure as described in Renew or Reissue a CA or Certificate