Changing Credentials and Keys

Organizations may have guidelines about how often to change credentials such as passwords and encryption keys. Different types of credentials and keys are stored in various places in the configuration, and changing them can range from trivial or cumbersome depending on the type and how the firewall uses them.

These types of guidelines can vary widely based on various industry recommendations, certification standards, and other criteria. Due to these variations, this document won’t make any specific commentary on timing of such changes.

User Manager Accounts

Administrators can change the password for their own account and for accounts of other users in the User Manager:

  • Navigate to System > User Manager

  • Find the user account in the list

  • Click fa-pencil at the end of the row to edit the user account

  • Enter a new Password and enter it again in the Confirm Password field.

  • Click Save

Unprivileged Users

Non-administrator users with accounts in the user manager who have the “WebCfg - System: User Password Manager” privilege can login to the GUI with their existing username and password and change the password for their own account to a new value in the same place (System > User Manager).

The GUI displays a simplified form for these users with only the password change fields.

Warning

Do not expose the GUI to the Internet. Only allow users to reach the firewall GUI from a local interface or using a secure VPN.

Authentication Servers

User authentication may be handed off to external authentication servers. In this case the user credentials must be changed on then authentication server. However, there may be credentials the firewall itself uses when communicating with the authentication servers.

LDAP

LDAP servers may have two items to update, depending on the configuration:

TLS Certificate

If communication with the LDAP server users TLS (STARTTLS or dedicated TLS port) then there may be occasions when the server CA expires or needs changed. If there is a new server CA, replace the CA data in the Certificate Manager:

  • Navigate to System > Certificates, CAs tab

  • Find the LDAP server CA in the list

  • Click fa-pencil to edit the CA

  • Paste in the new CA certificate and/or private key data in PEM format

  • Click Save

Alternately, import a new CA entry, then edit the LDAP authentication server entry and switch to the new CA.

Bind Credentials

LDAP authentication servers may use authenticated or anonymous binds when validating LDAP users. If the entry uses bind credentials, these may change over time.

To update the bind credentials:

  • Navigate to System > User Manager, Authentication Servers tab

  • Find the LDAP server entry in the list

  • Click fa-pencil to edit the LDAP server entry

  • Enter the new Bind credentials (User DN, Password)

  • Click Save

RADIUS

RADIUS authentication servers have a Shared Secret (sometimes called a NAS password) which allows the firewall to perform authentication requests. If the shared secret for the firewall is changed on the RADIUS server, update the RADIUS authentication server entry on the firewall to match:

  • Navigate to System > User Manager, Authentication Servers tab

  • Find the RADIUS server entry in the list

  • Click fa-pencil to edit the RADIUS server entry

  • Enter the new Shared Secret

  • Click Save

Interfaces

A few interface types can have credentials as well. For WANs, these should be changed with the ISP first and then updated on the firewall to match.

PPP type WANs

These types of WANs (e.g. PPPoE, L2TP, PPP/Cellular) can be changed in either of two places: The interface configuration or the PPPs configuration.

Choose one of the following methods and update the credentials there.

Interface Method

  • Navigate to Interfaces > <Name> for the interface in question

  • Enter the new Username, Password, and Confirm Password

  • Click Save

  • Click Apply Changes

PPPs Configuration Method

  • Navigate to Interfaces > Assignments, PPPs tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Enter the new Username, Password, and Confirm Password

  • Click Save

Wireless WANs

If the upstream wireless provider changes the pre-shared key or 802.x/EAP passphrase, a wireless WAN must change to match the new value(s):

  • Navigate to Interfaces > <Name> for the interface in question

  • Enter the new WPA Pre-Shared Key and/or Inner Authentication Passphrase

  • Click Save

  • Click Apply Changes

Wireless APs

WPA2

Access Points using WPA/WPA2 should periodically change the pre-shared key:

  • Navigate to Interfaces > <Name> for the interface in question

  • Enter the new WPA Pre-Shared Key

  • Click Save

  • Click Apply Changes

Clients will need to enter the new key to reconnect.

802.1x

Access Points using 802.1x/EAP may need to update the RADIUS shared secret if it changes on the RADIUS server.

  • Navigate to Interfaces > <Name> for the interface in question

  • Enter the new Shared Secret for the Primary 802.1x server and/or Secondary 802.1x server

  • Click Save

  • Click Apply Changes

Certificate Data and Private Keys

CA and Certificate entries have built-in expiration dates and can be easily renewed in the GUI. On occasion it may be necessary to change the private key for a CA or certificate as well.

Warning

When renewing a CA, changing the private key or serial number will invalidate any certificate signed by the CA as these are part of the data used to validate the trust chain.

To renew a CA or certificate and generate a new private key:

  • Navigate to System > Certificates, CAs or Certificates tab

  • Find the entry to renew

  • Click fa-arrow-rotate-right to start the renewal process

  • Uncheck Reuse Key

    With this option unchecked, the renewal process will generate a brand new private key for the certificate. This is generally safe for server and user certificates but can be problematic for CAs as mentioned previously.

  • Inspect the Certificate Properties

    If any are considered weak, consider checking Strict Security to use the recommended properties for stronger security.

  • Click Renew/Reissue

If the entry is a CA, send the new CA to clients that need it. Assuming the key and serial were reused they can continue using the old CA until it expires but they will need to replace their local copy of the CA before that date arrives.

Note

When renewing the self-signed GUI certificate, it is safe to replace the key and using a new serial number is required.

VPNs

For optimal security, changing VPN keys periodically is a good practice. The practicality of doing so largely depends on the size of the VPN (e.g. a simple two-site point-to-point link vs a remote access setup with dozens of users)

In any case, the most important thing is to coordinate the change with the remote peer(s) so all parties are using the correct keys.

IPsec Pre-Shared Keys

Changing pre-shared key values is fairly simple but must be done in a coordinated fashion. As soon as one side changes the key, the other side will fail to negotiate the tunnel the next time it attempts to authenticate.

Tunnels

  • Navigate to VPN > IPsec

  • Locate the VPN tunnel in the list

  • Click fa-pencil to edit the tunnel Phase 1 entry

  • Enter a new Pre-Shared Key

  • Click Save

  • Click Apply Changes

Remote Access (PSK and EAP)

  • Navigate to VPN > IPsec, Pre-Shared Keys tab

  • Locate the key entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Pre-Shared Key

  • Click Save

  • Click Apply Changes

IPsec Certificates

An IPsec tunnel using certificate-based authentication will have two certificates that may need changed: My Certificate which is used by this firewall to identify itself, and Peer Certificate Authority which this firewall uses to authenticate the peer.

If the CA or certificate was created on this firewall, the entry can be renewed as described in Certificate Data and Private Keys.

To update a CA or Certificate entry in-place with data from a remote source:

  • Navigate to System > Certificates, CAs or Certificates tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Paste in the new certificate and/or private key data in PEM format

  • Click Save

Alternately, renew, create, or import a new CA/Certificate, then select the new entry:

  • Navigate to VPN > IPsec

  • Locate the VPN tunnel in the list

  • Click fa-pencil to edit the tunnel Phase 1 entry

  • Select the new My Certificate and/or Peer Certificate Authority entries

  • Click Save

  • Click Apply Changes

WireGuard

To update a new key for a tunnel:

  • Navigate to VPN > WireGuard, Tunnels tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new private key

    Alternately, click fa-key Generate to automatically generate a new key pair.

  • Click Save Tunnel

Warning

The tunnel will be down until the remote peer(s) update their configurations with the new public key.

If a peer changes their key, edit the peer and update:

  • Navigate to VPN > WireGuard, Peers tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Public Key

  • Click Save Tunnel

Another strategy for remote access setups is to make a new tunnel with settings similar to the old one. It must have a unique port number and interface addresses but it can otherwise use the same settings. Place the new keys on the new server and exchange new keys with clients. Once all clients are on the new server, retire the old entry and remove all of its contents.

OpenVPN

Warning

Shared Key mode is deprecated, move to certificate-based tunnels.

OpenVPN tunnels using certificates can, for the most part, be handled by methods already covered in this document. For example, if the CA or certificate was created on this firewall, the entry can be renewed as described in Certificate Data and Private Keys and the warnings there still apply.

Consider generating a new TLS auth/encryption key periodically as well:

  • From an SSH or console shell prompt, or Diagnostics > Commands, run the following shell command:

    $ openvpn --genkey secret
    #
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    aed37de925b750e934efbcca1f342267
    a428f6ee2bd677a25c0f2815f04c1d53
    ba5c7a268c6b351312ee8753fa757204
    50c274de24a70b199e5f4f2c094f48cf
    3fbcdca14bbb1344ca042288766201ca
    f057300e97c70b78aaec9385877d87d5
    ad4e8a3bda1d528a03130117d63d1ed6
    cd5fdfda0ee41d1d039dcbd458a58666
    793a72d3393d57b906b2ee2d03748516
    6a401d162c1d0da2b83d689eb5cb9a12
    285b17b2de3bb816eb927e890696350e
    ae6328485b4d02e4adbe4f867a4871c4
    61af2d62e4693e4a334f5e540d9b5e9c
    82e6f9c9b833ac8b2f83f025e48822cd
    c1f8a7cc57cfb60a5adda5a3287d128c
    f0a29f14cb4e1e7fda8174c4a7226252
    -----END OpenVPN Static key V1-----
    
  • Copy the resulting text including the # header lines and --- armor lines.

  • Navigate to VPN > OpenVPN, Servers tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Erase the existing TLS key

  • Paste in the new TLS key

  • Click Save

Warning

Coordinate with all clients as changing it on the server will require clients to use the new key immediately!

Another popular strategy for remote access setups is to make a new VPN server with settings similar to the old one. It must have a unique port number and tunnel network but it can otherwise use the same settings. Place the new TLS key, CA, and certificates on this new server and deliver the new files to clients. Once all clients are on the new server, retire the old entry and remove all of its contents.

PPPoE Server Users

If the firewall is acting as a PPPoE server, it has a separate configuration for users and/or RADIUS authentication.

Local Users

  • Navigate to Services > PPPoE Server

  • Locate the server entry in the list

  • Click fa-pencil to edit the server

  • Locate user in the User table

  • Set a new Password

  • Click Save

RADIUS

  • Navigate to Services > PPPoE Server

  • Locate the server entry in the list

  • Click fa-pencil to edit the server

  • Set and confirm a new Primary RADIUS Server Shared Secret and/or Secondary RADIUS Server Shared Secret

  • Click Save

L2TP Server Users

If the firewall is acting as an L2TP server, it has a separate configuration for users and/or RADIUS authentication.

Local Users

  • Navigate to VPN > L2TP Server, Users tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Set and confirm a new Password

  • Click Save

RADIUS

  • Navigate to VPN > L2TP Server

  • Set and confirm a new Secret in the RADIUS section

  • Click Save

Notification Services

Remote notification types frequently require credentials to contact the remote server and deliver messages. If the credentials change on the server, the firewall needs the new credentials to continue delivering remote notifications.

SMTP

  • Navigate to System > Advanced, Notifications tab

  • Enter a new Notification E-mail auth password in the SMTP Section

  • Click Save

  • Click Test SMTP Settings

Telegram

  • Navigate to System > Advanced, Notifications tab

  • Enter a new API key in the Telegram Section

  • Click Save

  • Click Test Telegram Settings

Pushover

  • Navigate to System > Advanced, Notifications tab

  • Enter a new API key and/or User Key in the Pushover Section

  • Click Save

  • Click Test Pushover Settings

Slack

  • Navigate to System > Advanced, Notifications tab

  • Enter a new API key in the Slack Section

  • Click Save

  • Click Test Slack Settings

Upstream Proxy

If the firewall must authenticate to an upstream proxy for its own outgoing HTTP/HTTPS requests and those credentials change, the firewall will need the new password for outbound connectivity:

  • Navigate to System > Advanced, Miscellaneous tab

  • Enter a new Proxy Password

  • Click Save

Captive Portal

Uses the User Manager for local users, Authentication Servers for remote users, and certificates from the certificate manager. See those respective sections for information on updating credentials.

DHCP Server

OMAPI

To change the OMAPI key:

  • Navigate to Services > DHCP Server

  • Paste in a new OMAPI Key or check Generate New Key to create a new key automatically

  • Click Save

Dynamic DNS Key

If the DHCP server securely sends dynamic DNS updates to an upstream DNS server, those credentials can be changed if the server updates the key:

  • Navigate to Services > DHCP Server

  • Paste in a new DNS Domain key secret from the DNS server

  • Click Save

DNS Resolver

Uses certificates from the certificate manager when acting as a DNS over TLS server. See that section for information on updating credentials.

Dynamic DNS

Dynamic DNS Service Clients

The type and format of credentials for Dynamic DNS clients vary by provider.

  • Navigate to Services > Dynamic DNS, Dynamic DNS Clients tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Enter the new Password or equivalent credential

  • Click Save

    Alternately, click Save and Force Update to also force an update to test the new settings.

RFC 2136 Clients

  • Navigate to Services > Dynamic DNS, RFC 2136 Clients tab

  • Find the entry in the list

  • Click fa-pencil to edit the entry

  • Pick a new Key algorithm if it changed

  • Enter the new Key

  • Click Save

    Alternately, click Save and Force Update to also force an update to test the new settings.

NTP

If NTPv3 authentication is enabled and the server key changes, the firewall must be changed to match.

  • Navigate to Services > NTP

  • Enter a new Authentication Key

  • Pick a new Digest Algorithm if it changed

  • Click Save

Packages

Add-on packages can have their own sets of credentials. This section is not comprehensive. Check each add-on package individually.

ACME

Certificates

These certificates generally only have a 90-day lifetime and thus it’s unusual to need to renew them sooner as their relatively short life is quite secure on its own.

To forcefully renew an ACME certificate:

  • Navigate to Services > ACME Certificates, Certificates tab

  • Locate the entry in the list

  • Click Issue/Renew

Private Keys

Changing a private key for a certificate isn’t a common need, the package does not currently have a good method to forcefully generate a new private key of the same type and size.

  • Navigate to Services > ACME Certificates, Certificates tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Change the Private Key selection to a different length or type (RSA vs ECDSA)

    Alternately, generate a new private key externally and then choose Custom and paste the private key data in PEM format.

  • Click Save

  • Locate the entry in the list

  • Click Issue/Renew

When the package renews the certificate it will change the private key to the new size and/or type.

Account Keys

The account key identifies a particular ACME user, but it can be changed if needed.

  • Navigate to Services > ACME Certificates, Account Keys tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Click fa-plus Create new account key

  • Click fa-key Register ACME account key

  • Click Save

  • Navigate to Services > ACME Certificates, Certificates tab

  • Locate each entry in the list using this account key

  • Click Issue/Renew on each entry using the key

FRR

The FRR package can optionally store credentials used to communicate with peers.

Global

The master password is only used internally by FRR. Changing it is typically unnecessary but simple to do as it does not need to be updated anywhere else.

  • Navigate to Services > FRR Global/Zebra

  • Enter a new Master Password

BGP

  • Navigate to Services > FRR BGP, Neighbors tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Password

  • Click Save

OSPF

  • Navigate to Services > FRR OSPF, Interfaces tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Password

  • Click Save

FreeRADIUS

The FreeRADIUS package contains credentials for users as well as for its clients and other servers.

Note

If using a database, change data there instead.

Users

  • Navigate to Services > FreeRADIUS, Users tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Password

  • Enter a new One-Time Password Init-Secret and/or PIN if needed

  • Click Save

NAS / Clients

  • Navigate to Services > FreeRADIUS, NAS / Clients tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Client Shared Secret

  • Click Save

EAP Certificates

EAP uses certificates from the Certificate Manager. To change those, see that section instead.

SQL

If this FreeRADIUS configuration pulls its data from an SQL server, it will have stored credentials for communicating with the SQL server. To update those credentials:

  • Navigate to Services > FreeRADIUS, SQL tab

  • Enter a new Database Password in the section for server 1 and optionally for server 2.

  • Click Save

LDAP

If this FreeRADIUS configuration passes authentication requests to an LDAP server, it may have stored credentials for communicating with the LDAP server. To update those credentials:

  • Navigate to Services > FreeRADIUS, LDAP tab

  • Enter a new Password in the section for server 1 and optionally for server 2.

  • Click Save

If communication with the LDAP server uses certificates, they are stored in the Certificate Manager. To change those, see that section instead.

NET-SNMP

NET-SNMP SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Users

  • Navigate to Services > NET-SNMP, Users tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Password and/or Passphrase

  • Click Save

Communities

  • Navigate to Services > NET-SNMP, Communities tab

  • Locate the entry in the list

  • Click fa-pencil to edit the entry

  • Enter a new Community Name

  • Click Save

HAProxy

HAProxy SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Stunnel

HAProxy SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Zabbix

  • Navigate to Services > Zabbix Agent or Services > Zabbix Proxy

  • Paste a new TLS PSK value from the server

SSL/TLS options use entries from the Certificate Manager. To change those, see that section instead.

Others

The contents of the package system change on an ongoing basis. There may be additional third party packages with credentials not mentioned in this document. Check the settings of any other installed package for local or remote credentials.