1

Hi,

I’m trying get rid of the “untrusted connection” error in IE when connecting to the Firebox’s authentication page but the steps I’m taking to deploy the certifcate don’t seem to be working.

I’m starting by testing a local certificate install (instead of GPO) and so far I have tried the below steps whilst folowing info in this link - http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/certificates/import_client_cert.html

I have;

-Exported my certificate from “Firebox System Manager > View > Certificates”. The certificate I exported was the currently active Firebox web server certificate and the details were as follows - Status = Signed, Type = CA Cert, Alog = RSA, Subject Name = o=WatchGuard ou=Fireware cn=Fireware web CA.

-I then took the exported .PEM cert and converted it to .DER using SSL Converter - Convert SSL Certificates to different formats (Link obtained from WatchGuard System Manager Help )

-I then double clicked the .DER cert on a workstation and ran through the wizard to install it in the Trusted Root Certification Authorities store.

-I restarted the station and tried accessing the authentication page using IE but still received the untrusted website warning.

-I then checked the certificate store in IE and found that the Fireware Web CA cert was listed under the Trusted Root Certification Authorities tab.

I’ve tested this with IE9 (Vista) and IE11 (Win7) and I’m currently running WSM/XTM 11.9.3 with a Firebox XTM 505.

Can anyone see any issues with the steps I’ve taken?

Thanks

2 Spice ups
2

You should use the certificate with “cn=Fireware web CA” as the root certificate, not the ‘Web Server’ cetificate.

If you use FSM to export the certificate, this one will be listed at the left side under Status as “Signed__*__” - the star indicating, that this is the current active Firebox Web Server certificate.

3

I’m having the same problem. When I look at the details of the error here is what I get.

NET::ERR_CERT_COMMON_NAME_INVALID

When I dig some more it looks like it hasn’t associated the private internal IP address of the WatchGuard with the name on the certificate. Are you seeing something similar?

1 Spice up
4

If you have a problem with the cert, just delete it and restart the box. A new one will be created automatically.

5

@Bojan - The web CA cert with the * against it is the one I was using. Thanks for the clarification though, I’d been wondering if I was just using the wrong one.

@Carl - Just checked in Chrome and that is the exact error I’m getting. I’m using the “Default certificate signed by Firebox” (Policy Manager > Setup > Authentication> Web Server Certificate) and regenerated it just before I started working on this because it had expired (pretty sure the firebox has been rebooted since as well). My guess would be that I need to switch to a “Custom certificate signed by Firebox” and enter some details about my network - not sure what will need to go in there yet though…

6

I’ve just changed the Web Server Certificate to “Custom certificate signed by Firebox” and entered the authentication page IP (without the port) as the Common Name - I’d guess you’d do the same thing with a web address if you aren’t accessing it via the IP. I believe the O and OU fields are optional so I just threw in my department and company name.

I’ve then run through the steps in my original post on a couple of workstations and they all now go straight through to the authentication page! :slight_smile:

Thanks for your input Carl, that was the missing piece of the puzzle.

1 Spice up
7

That fixed it for me too! If anyone else reads this, be sure to restart your web browser for the new certificate to take effect.

2 Spice ups
8

I have exported the Fireware web CA* certificate using FSM and imported it onto a W10 client. I have tried both using the original .PEM and also converted as a .DER.
When I attempt to access a website, I get the “Site is not secure error message”. When I select continue to the page (using ie) I get to the Auth page (port 4100) but of course have a certificate error. When I open the the certificate detailes - (Fireware web CA) it says Certificate is Ok. The certificate is listed under Trust Root Cert Authorities/Certificates.

I read the post that suggested changing to Custom certificate signed by Firebox, but am not sure who to accomplish this. The site is also listed by an internal IP address rather than a name.

Any help would be great!

9

@Paul - Delete the certs you already have installed - just do do a cleanup before doing it one more time.

Than open Iexplore and go to http://firewall_IP:4126

This is the new certportal hosted on the firewall. Click on the download button and save the cert to the machine account as a trusted root CA.

Done.