Changing Credentials and Keys¶

Organizations may have guidelines about how often to change credentials such as passwords and encryption keys. Different types of credentials and keys are stored in various places in the configuration, and changing them can range from trivial or cumbersome depending on the type and how the firewall uses them.

These types of guidelines can vary widely based on various industry recommendations, certification standards, and other criteria. Due to these variations, this document won’t make any specific commentary on timing of such changes.

User Manager Accounts ¶

Administrators can change the password for their own account and for accounts of other users in the User Manager:

Navigate to System > User Manager
Find the user account in the list
Click at the end of the row to edit the user account
Enter a new Password and enter it again in the Confirm Password field.
Click Save

Unprivileged Users ¶

Non-administrator users with accounts in the user manager who have the “WebCfg - System: User Password Manager” privilege can login to the GUI with their existing username and password and change the password for their own account to a new value in the same place (System > User Manager).

The GUI displays a simplified form for these users with only the password change fields.

Warning

Do not expose the GUI to the Internet. Only allow users to reach the firewall GUI from a local interface or using a secure VPN.

Authentication Servers ¶

User authentication may be handed off to external authentication servers. In this case the user credentials must be changed on then authentication server. However, there may be credentials the firewall itself uses when communicating with the authentication servers.

LDAP ¶

LDAP servers may have two items to update, depending on the configuration:

TLS Certificate¶

If communication with the LDAP server users TLS (STARTTLS or dedicated TLS port) then there may be occasions when the server CA expires or needs changed. If there is a new server CA, replace the CA data in the Certificate Manager:

Navigate to System > Certificates, CAs tab
Find the LDAP server CA in the list
Click to edit the CA
Paste in the new CA certificate and/or private key data in PEM format
Click Save

Alternately, import a new CA entry, then edit the LDAP authentication server entry and switch to the new CA.

Bind Credentials¶

LDAP authentication servers may use authenticated or anonymous binds when validating LDAP users. If the entry uses bind credentials, these may change over time.

To update the bind credentials:

Navigate to System > User Manager, Authentication Servers tab
Find the LDAP server entry in the list
Click to edit the LDAP server entry
Enter the new Bind credentials (User DN, Password)
Click Save

RADIUS ¶

RADIUS authentication servers have a Shared Secret (sometimes called a NAS password) which allows the firewall to perform authentication requests. If the shared secret for the firewall is changed on the RADIUS server, update the RADIUS authentication server entry on the firewall to match:

Navigate to System > User Manager, Authentication Servers tab
Find the RADIUS server entry in the list
Click to edit the RADIUS server entry
Enter the new Shared Secret
Click Save

Interfaces ¶

A few interface types can have credentials as well. For WANs, these should be changed with the ISP first and then updated on the firewall to match.

PPP type WANs ¶

These types of WANs (e.g. PPPoE, L2TP, PPP/Cellular) can be changed in either of two places: The interface configuration or the PPPs configuration.

Choose one of the following methods and update the credentials there.

Interface Method¶

Navigate to Interfaces > <Name> for the interface in question
Enter the new Username, Password, and Confirm Password
Click Save
Click Apply Changes

PPPs Configuration Method¶

Navigate to Interfaces > Assignments, PPPs tab
Find the entry in the list
Click to edit the entry
Enter the new Username, Password, and Confirm Password
Click Save

Wireless WANs ¶

If the upstream wireless provider changes the pre-shared key or 802.x/EAP passphrase, a wireless WAN must change to match the new value(s):

Navigate to Interfaces > <Name> for the interface in question
Enter the new WPA Pre-Shared Key and/or Inner Authentication Passphrase
Click Save
Click Apply Changes

Wireless APs ¶

WPA2¶

Access Points using WPA/WPA2 should periodically change the pre-shared key:

Navigate to Interfaces > <Name> for the interface in question
Enter the new WPA Pre-Shared Key
Click Save
Click Apply Changes

Clients will need to enter the new key to reconnect.

802.1x¶

Access Points using 802.1x/EAP may need to update the RADIUS shared secret if it changes on the RADIUS server.

Navigate to Interfaces > <Name> for the interface in question
Enter the new Shared Secret for the Primary 802.1x server and/or Secondary 802.1x server
Click Save
Click Apply Changes

Certificate Data and Private Keys ¶

CA and Certificate entries have built-in expiration dates and can be easily renewed in the GUI. On occasion it may be necessary to change the private key for a CA or certificate as well.

Warning

When renewing a CA, changing the private key or serial number will invalidate any certificate signed by the CA as these are part of the data used to validate the trust chain.

To renew a CA or certificate and generate a new private key:

Navigate to System > Certificates, CAs or Certificates tab
Find the entry to renew
Click to start the renewal process
Uncheck Reuse Key

With this option unchecked, the renewal process will generate a brand new private key for the certificate. This is generally safe for server and user certificates but can be problematic for CAs as mentioned previously.
Inspect the Certificate Properties

If any are considered weak, consider checking Strict Security to use the recommended properties for stronger security.
Click Renew/Reissue

If the entry is a CA, send the new CA to clients that need it. Assuming the key and serial were reused they can continue using the old CA until it expires but they will need to replace their local copy of the CA before that date arrives.

Note

When renewing the self-signed GUI certificate, it is safe to replace the key and using a new serial number is required.

VPNs ¶

For optimal security, changing VPN keys periodically is a good practice. The practicality of doing so largely depends on the size of the VPN (e.g. a simple two-site point-to-point link vs a remote access setup with dozens of users)

In any case, the most important thing is to coordinate the change with the remote peer(s) so all parties are using the correct keys.

IPsec Pre-Shared Keys ¶

Changing pre-shared key values is fairly simple but must be done in a coordinated fashion. As soon as one side changes the key, the other side will fail to negotiate the tunnel the next time it attempts to authenticate.

Tunnels¶

Navigate to VPN > IPsec
Locate the VPN tunnel in the list
Click to edit the tunnel Phase 1 entry
Enter a new Pre-Shared Key
Click Save
Click Apply Changes

Remote Access (PSK and EAP)¶

Navigate to VPN > IPsec, Pre-Shared Keys tab
Locate the key entry in the list
Click to edit the entry
Enter a new Pre-Shared Key
Click Save
Click Apply Changes

IPsec Certificates ¶

An IPsec tunnel using certificate-based authentication will have two certificates that may need changed: My Certificate which is used by this firewall to identify itself, and Peer Certificate Authority which this firewall uses to authenticate the peer.

If the CA or certificate was created on this firewall, the entry can be renewed as described in Certificate Data and Private Keys.

To update a CA or Certificate entry in-place with data from a remote source:

Navigate to System > Certificates, CAs or Certificates tab
Find the entry in the list
Click to edit the entry
Paste in the new certificate and/or private key data in PEM format
Click Save

Alternately, renew, create, or import a new CA/Certificate, then select the new entry:

Navigate to VPN > IPsec
Locate the VPN tunnel in the list
Click to edit the tunnel Phase 1 entry
Select the new My Certificate and/or Peer Certificate Authority entries
Click Save
Click Apply Changes

WireGuard ¶

To update a new key for a tunnel:

Navigate to VPN > WireGuard, Tunnels tab
Find the entry in the list
Click to edit the entry
Enter a new private key

Alternately, click Generate to automatically generate a new key pair.
Click Save Tunnel

Warning

The tunnel will be down until the remote peer(s) update their configurations with the new public key.

If a peer changes their key, edit the peer and update:

Navigate to VPN > WireGuard, Peers tab
Find the entry in the list
Click to edit the entry
Enter a new Public Key
Click Save Tunnel

Another strategy for remote access setups is to make a new tunnel with settings similar to the old one. It must have a unique port number and interface addresses but it can otherwise use the same settings. Place the new keys on the new server and exchange new keys with clients. Once all clients are on the new server, retire the old entry and remove all of its contents.

OpenVPN ¶

Warning

Shared Key mode is deprecated, move to certificate-based tunnels.

OpenVPN tunnels using certificates can, for the most part, be handled by methods already covered in this document. For example, if the CA or certificate was created on this firewall, the entry can be renewed as described in Certificate Data and Private Keys and the warnings there still apply.

Consider generating a new TLS auth/encryption key periodically as well:

From an SSH or console shell prompt, or Diagnostics > Commands, run the following shell command:

$ openvpn --genkey secret
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
aed37de925b750e934efbcca1f342267
a428f6ee2bd677a25c0f2815f04c1d53
ba5c7a268c6b351312ee8753fa757204
50c274de24a70b199e5f4f2c094f48cf
3fbcdca14bbb1344ca042288766201ca
f057300e97c70b78aaec9385877d87d5
ad4e8a3bda1d528a03130117d63d1ed6
cd5fdfda0ee41d1d039dcbd458a58666
793a72d3393d57b906b2ee2d03748516
6a401d162c1d0da2b83d689eb5cb9a12
285b17b2de3bb816eb927e890696350e
ae6328485b4d02e4adbe4f867a4871c4
61af2d62e4693e4a334f5e540d9b5e9c
82e6f9c9b833ac8b2f83f025e48822cd
c1f8a7cc57cfb60a5adda5a3287d128c
f0a29f14cb4e1e7fda8174c4a7226252
-----END OpenVPN Static key V1-----

Copy the resulting text including the # header lines and --- armor lines.
Navigate to VPN > OpenVPN, Servers tab
Find the entry in the list
Click to edit the entry
Erase the existing TLS key
Paste in the new TLS key
Click Save

Warning

Coordinate with all clients as changing it on the server will require clients to use the new key immediately!

Another popular strategy for remote access setups is to make a new VPN server with settings similar to the old one. It must have a unique port number and tunnel network but it can otherwise use the same settings. Place the new TLS key, CA, and certificates on this new server and deliver the new files to clients. Once all clients are on the new server, retire the old entry and remove all of its contents.

PPPoE Server Users ¶

If the firewall is acting as a PPPoE server, it has a separate configuration for users and/or RADIUS authentication.

Local Users¶

Navigate to Services > PPPoE Server
Locate the server entry in the list
Click to edit the server
Locate user in the User table
Set a new Password
Click Save

RADIUS¶

Navigate to Services > PPPoE Server
Locate the server entry in the list
Click to edit the server
Set and confirm a new Primary RADIUS Server Shared Secret and/or Secondary RADIUS Server Shared Secret
Click Save

L2TP Server Users ¶

If the firewall is acting as an L2TP server, it has a separate configuration for users and/or RADIUS authentication.

Local Users¶

Navigate to VPN > L2TP Server, Users tab
Locate the entry in the list
Click to edit the entry
Set and confirm a new Password
Click Save

RADIUS¶

Navigate to VPN > L2TP Server
Set and confirm a new Secret in the RADIUS section
Click Save

Notification Services ¶

Remote notification types frequently require credentials to contact the remote server and deliver messages. If the credentials change on the server, the firewall needs the new credentials to continue delivering remote notifications.

SMTP ¶

Navigate to System > Advanced, Notifications tab
Enter a new Notification E-mail auth password in the SMTP Section
Click Save
Click Test SMTP Settings

Telegram ¶

Navigate to System > Advanced, Notifications tab
Enter a new API key in the Telegram Section
Click Save
Click Test Telegram Settings

Pushover ¶

Navigate to System > Advanced, Notifications tab
Enter a new API key and/or User Key in the Pushover Section
Click Save
Click Test Pushover Settings

Slack ¶

Navigate to System > Advanced, Notifications tab
Enter a new API key in the Slack Section
Click Save
Click Test Slack Settings

Upstream Proxy ¶

If the firewall must authenticate to an upstream proxy for its own outgoing HTTP/HTTPS requests and those credentials change, the firewall will need the new password for outbound connectivity:

Navigate to System > Advanced, Miscellaneous tab
Enter a new Proxy Password
Click Save

Captive Portal ¶

Uses the User Manager for local users, Authentication Servers for remote users, and certificates from the certificate manager. See those respective sections for information on updating credentials.

DHCP Server ¶

OMAPI ¶

To change the OMAPI key:

Navigate to Services > DHCP Server
Paste in a new OMAPI Key or check Generate New Key to create a new key automatically
Click Save

Dynamic DNS Key ¶

If the DHCP server securely sends dynamic DNS updates to an upstream DNS server, those credentials can be changed if the server updates the key:

Navigate to Services > DHCP Server
Paste in a new DNS Domain key secret from the DNS server
Click Save

DNS Resolver ¶

Uses certificates from the certificate manager when acting as a DNS over TLS server. See that section for information on updating credentials.

Dynamic DNS ¶

Dynamic DNS Service Clients ¶

The type and format of credentials for Dynamic DNS clients vary by provider.

Navigate to Services > Dynamic DNS, Dynamic DNS Clients tab
Find the entry in the list
Click to edit the entry
Enter the new Password or equivalent credential
Click Save

Alternately, click Save and Force Update to also force an update to test the new settings.

RFC 2136 Clients ¶

Navigate to Services > Dynamic DNS, RFC 2136 Clients tab
Find the entry in the list
Click to edit the entry
Pick a new Key algorithm if it changed
Enter the new Key
Click Save

Alternately, click Save and Force Update to also force an update to test the new settings.

NTP ¶

If NTPv3 authentication is enabled and the server key changes, the firewall must be changed to match.

Navigate to Services > NTP
Enter a new Authentication Key
Pick a new Digest Algorithm if it changed
Click Save

Packages ¶

Add-on packages can have their own sets of credentials. This section is not comprehensive. Check each add-on package individually.

ACME ¶

Certificates¶

These certificates generally only have a 90-day lifetime and thus it’s unusual to need to renew them sooner as their relatively short life is quite secure on its own.

To forcefully renew an ACME certificate:

Navigate to Services > ACME Certificates, Certificates tab
Locate the entry in the list
Click Issue/Renew

Private Keys¶

Changing a private key for a certificate isn’t a common need, the package does not currently have a good method to forcefully generate a new private key of the same type and size.

Navigate to Services > ACME Certificates, Certificates tab
Locate the entry in the list
Click to edit the entry
Change the Private Key selection to a different length or type (RSA vs ECDSA)

Alternately, generate a new private key externally and then choose Custom and paste the private key data in PEM format.
Click Save
Locate the entry in the list
Click Issue/Renew

When the package renews the certificate it will change the private key to the new size and/or type.

Account Keys¶

The account key identifies a particular ACME user, but it can be changed if needed.

Navigate to Services > ACME Certificates, Account Keys tab
Locate the entry in the list
Click to edit the entry
Click Create new account key
Click Register ACME account key
Click Save
Navigate to Services > ACME Certificates, Certificates tab
Locate each entry in the list using this account key
Click Issue/Renew on each entry using the key

FRR ¶

The FRR package can optionally store credentials used to communicate with peers.

Global¶

The master password is only used internally by FRR. Changing it is typically unnecessary but simple to do as it does not need to be updated anywhere else.

Navigate to Services > FRR Global/Zebra
Enter a new Master Password

BGP¶

Navigate to Services > FRR BGP, Neighbors tab
Locate the entry in the list
Click to edit the entry
Enter a new Password
Click Save

OSPF¶

Navigate to Services > FRR OSPF, Interfaces tab
Locate the entry in the list
Click to edit the entry
Enter a new Password
Click Save

FreeRADIUS ¶

The FreeRADIUS package contains credentials for users as well as for its clients and other servers.

Note

If using a database, change data there instead.

Users¶

Navigate to Services > FreeRADIUS, Users tab
Locate the entry in the list
Click to edit the entry
Enter a new Password
Enter a new One-Time Password Init-Secret and/or PIN if needed
Click Save

NAS / Clients¶

Navigate to Services > FreeRADIUS, NAS / Clients tab
Locate the entry in the list
Click to edit the entry
Enter a new Client Shared Secret
Click Save

EAP Certificates¶

EAP uses certificates from the Certificate Manager. To change those, see that section instead.

SQL¶

If this FreeRADIUS configuration pulls its data from an SQL server, it will have stored credentials for communicating with the SQL server. To update those credentials:

Navigate to Services > FreeRADIUS, SQL tab
Enter a new Database Password in the section for server 1 and optionally for server 2.
Click Save

LDAP¶

If this FreeRADIUS configuration passes authentication requests to an LDAP server, it may have stored credentials for communicating with the LDAP server. To update those credentials:

Navigate to Services > FreeRADIUS, LDAP tab
Enter a new Password in the section for server 1 and optionally for server 2.
Click Save

If communication with the LDAP server uses certificates, they are stored in the Certificate Manager. To change those, see that section instead.

NET-SNMP ¶

NET-SNMP SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Users¶

Navigate to Services > NET-SNMP, Users tab
Locate the entry in the list
Click to edit the entry
Enter a new Password and/or Passphrase
Click Save

Communities¶

Navigate to Services > NET-SNMP, Communities tab
Locate the entry in the list
Click to edit the entry
Enter a new Community Name
Click Save

HAProxy ¶

HAProxy SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Stunnel ¶

HAProxy SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Zabbix ¶

Navigate to Services > Zabbix Agent or Services > Zabbix Proxy
Paste a new TLS PSK value from the server

SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Others ¶

The contents of the package system change on an ongoing basis. There may be additional third party packages with credentials not mentioned in this document. Check the settings of any other installed package for local or remote credentials.