WatchGuard Technologies Firebox X Certificate Authority

User Guide 59

CHAPTER 7 Managing Certificates and the

Certificate Authority

When you create a VPN tunnel, you can select from two types of tunnel authentication: shared secrets or

certificates. A certificate is an electronic document that co ntains a public key. The public key verifies that

the certificate is legitimate. A Certificate Authority (CA) is a trusted third-party that gives certificates to

clients. In WatchGuard® System Manager, the workstation that is configured as the Management Server

also operates as a CA. The CA on the Management Server can give certificates to ma naged Firebox clients

when the Management Server creates VPN tunnels.

Certificate Authorities are a component of a system of key creation, ke y management and certification

with the name Public Key Infrastructure (PKI). The PKI supplies certificate and directory services that can

create, supply, keep, and when necessary revoke the certificates.

Certificates usually give more security than shared secrets during the authentica tion procedure.

Public Key Cryptography and Dig ital Certificates

Public key cryptography is a central component of a PKI. This cryptographic system includes two mathe-

matically related keys, known as an asymmetric key pair. The user keeps one key, the private key, secret.

The user can supply the other key, known as the public key, to other users.

The keys in the key pair go together. Only the owner of the private key can decrypt data encrypted with

the public key. Any person wit h the public key can decry pt data encrypted with the p rivate key.

Certificates are used to make sure public keys are valid. Certificates contain a di gital signature created

with the public key of a CA certificate. The validity of a certificate can be verified by looking at its digital

signature.

Certificates have a lifetime that is set when they are created. But certificates are occasionally revoked

before the end date and t ime that was set for their lifetime. The CA keeps an o nline, current list of

revoked certificates. This list is the certificate revocation list (CRL).

PKI in a WatchGuard VPN

To authenticate VPN tunnels with certificates, you must first configure a Management Server. When you

configure the Managem ent Server, the CA is automatical ly activated. Each managed Firebox client

Contents

Main ADDRESS: SUPPORT: SALES: ABOUT WATCHGUARD Contents CHAPTER 1 Getting Started CHAPTER 2 Service and Support CHAPTER 3 Monitoring Your Network CHAPTER 4 Setting Up Logging and Notification CHAPTER 5 Reviewing and Working with Log Files CHAPTER 6 Generating Reports of Netw ork Activity CHAPTER 7 Managing Certificates and the Certificate Authority CHAPTER 8 Managing the Firebox X Edge and Firebox SOHO 6 APPENDIX A Copyright and Licensing APPENDIX B W atchGuard File Loc ations About WatchGuard System Manager WatchGuard Manageme nt Server Log Server WebBlocker Server About Hardware and Appliance Software Migration Guide Appliance software Upgrading the appliance software Installation requirements Collecting network infor mation License Keys Network addresses External interface Selecting a firewall confi guration mode Selecting where to install ser ver software Setting up the management station Base Strong Backing up your previous configuration Setting Up Your Management Server Management Server passw ords Master password Admin password Using the Management Server Se tup Wizard 1 After Your Installation Align your security policy Features of the LiveSecurity Ser vice Installation Topics Installing WatchGuard Servers on computers with desktop firewalls WFS appliance software configuratio n modes Routed configuration Drop-in configuration Adding secondary networks t o your configuration Use the Quick Setup Wizard during installation Add the secondary network after the Firebox installation is complete Dynamic IP support on the external interface Entering IP addresses About slash notation Installing the Firebox cable s Page LiveSecurity Service Solutions Threat responses, alerts, and expert advice Easy software updates Access to technical support and training LiveSecurity Service Broadcasts New from WatchGuard Activating the LiveSecurity Service LiveSecurity Service Self Help Tools Basic FAQs Advanced F AQs Known Issues Interactive Support Forum Online Training Learn About Watch Guard Users Forum Using the WatchGuard Users Forum WatchGuard Users Group Online Help Starting WatchGuard Online Help Product Documentation Technical Support LiveSecurity Service Technical Su pport Hours Telephone Number 877.232.3531 in United States and Canada +1.206.613.0456 in all other countries Web Site Training and Certification Page Device VPN Log Connecting to a Firebox Connecting to a Server Seeing Information about Devices Page Mobile user VPN tunnels PPTP user VPN tunnels Connection status No exclamation point Seeing Information on Log Servers Monitoring VPNs About the WatchGuard Toolbar Starting Security Ap plications Configuration Guide Policy Ma nager Firebox Manager Page Setting Up the Log Server Page Changing the Log Server encr yption key Setting Global Logging and Notific ation Preferences Log file size and rollover frequency Setting the interval for log rollover Scheduling log reports Controlling notification Starting and stopping the Log Server Page Files Types of Log Messages Traffic log messages Alarm log messages e. Log File Names and Locations Starting LogViewer Page LogViewer Settings Changing LogViewer settings with F ireware appliance software Changing LogViewer settings with WFS ap pliance software Using LogViewer Creating a Search Rule Searching in LogViewer Highlight in main window Match all Match any New window Consolidating log files 1 2 3 Updating .wgl log files to .xml format Page Page Activity Creating and Editing Reports Starting a new report Editing an existing repor t Deleting a report Viewing the reports list Specifying a Report T ime Interval Specifying Report Sec tions Consolidating Report Se ctions Setting Report Pr operties Exporting Repor ts Using Report Filters Creating a new report filter Editing a report filter Deleting a report filter Applying a report filter Running Reports Report Sections and Consoli dated Sections Report sections Page Consolidated sections Page Certificate Authority Public Key Cryptography and Dig ital Certificates PKI in a WatchGuard VPN MUVPN and certificat es Managing the Certif icate Authority 1 2 Certificate Authority CA Certificate Management Server CA Certificate Managing certificates w ith the CA Manager 1 2 Publish (PEM) Publish (PKC12) Page Firebox SOHO 6 Importing Certi ficates Microsoft Internet Explor er 5.5 and 6.0 1 Netscape Communicator 4.79 Netscape 6 Troubleshooting ideas Managing the Firebox X Edge or SOHO Device 1 2 Select the certificate for this device. Click OK. 3 Click OK. System Status Network Removing Certificates Microsoft Internet Explor er 5.5 and 6.0 Netscape Navigator 4.79 Netscape 6 Page Page Page Page Licenses SSL Licenses This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. OpenSSL License Original SSLeay License Apache Software License, Version 2.0, Januar y 2004 Page PCRE License GNU Lesser General Public License Page Page Page GNU General Public License Page Page Page Sleepycat License Page General File Locations Default File Locations Quick Setup Wizard Firebox System Manager for Fireware Appliance Software Quick Setup Wizard HostWatch for Fireware Appliance Software Policy Manager for Fireware Appliance Software WatchGuard System Manager Policy Manager for WFS Appliance Software Policy Manager for Fireware Appliance Software Firebox System Manager for WFS Appliance Software HostWatch for WFS Appliance Software Flash Disk Management for WFS Appliance Software LogViewer Policy Manager for WFS Appliance Software Management Server WebBlocker Server Log Server User Interface LogViewer Log Server for Fireware Appliance Softwa re Log Server for WFS Appliance Software Historical Reports Log Merge Management Server Setup Wizard Management Server User Interface Historical Reports WatchGuard Certificate Authority Page Index Symbols A C D I K L M N R S T U V ADDRESS: SUPPORT: SALES: ABOUT WATCHGUARD