Common Practices
Fireware Pro
Firebox SSL VPN
Firebox X Core/Edge
Setup -
Branch Office VPN (IPSec) - Firebox/Soho
Remote User configuration using MUVPN & PPTP
Troubleshooting -
Backing Up/Restoring your Firebox Image.
How to obtain a public certificate for your Firebox SSL VPN Firebox
Note: This is targeted to SSL version 4.9.x but can also be used for 5.0
Generating a Certificate Signing Request (CSR) for the Firebox SSL VPN using RapidSSL as the provider.
Using CYGWIN to create a CSR to submit to http://www.rapidssl.com/index_ssl.htm to obtain a publicly signed certificate for your Firebox SSL VPN. You can use other providers as well, but the system here works well. If you obtain a FreeSSL certificate for 30 days you can renew it for a year (you will have to repeat this process during the renewal) but it is only $34.
BEFORE YOU START –
You MUST either be the owner of the domain with a valid email address listed with your domain registrar, or have access to the email accounts listed with the registrar. RapidSSL and other providers must be able to authenticate this via email to complete the process. RapidSSL has a system where their computer will also call you to verify so you can get the certificate immediately.
Read the FAQ first. The Firebox SSL VPN only needs a simple single root certificate and is fairly inexpensive. Usually under $60 a year. You can install the free 30 day trial certificate to verify it works properly for your users, but it has been validated to function properly on the Firebox SSL VPN.
http://www.rapidssl.com/faq.html
You do not want to use a provider that does not have their own root certificate and never want to use a provider who has “chained root” certificates.
From a PC on your network follow the link below to complete an internet install of CYGWIN.
http://www.cygwin.com/setup.exe
Follow the on-screen instructions to open the setup installer.
In the Cygwin Setup dialog box, click Next.
Click Install from Internet and then click Next.
Accept the default root installation directory settings and then click Next.
Accept the default local package directory setting and then click Next.
In the Internet Connection screen, click Use IE5 Settings and then click Next.
In the list of Available Download Sites, click an FTP location close to you and then click Next.
If you get a prompt for username and password, cancel and rerun the setup as this means the FTP you are connecting to has too many users connected to accept an anonymous connection from you.
In the Select Packages screen, click the View button (upper-right corner).
Scroll the packages list to locate in the Package column openssl: The OpenSSL runtime environment and openssl-devel: The OpenSSL development environment. (Note: This may be located in the “libs” or “libraries” section).
After you click next to these three sections it will no longer say “skip” and will display the version it will install to indicate it will install this component. The above diagram shows when it is already installed. You can rerun the setup to add these components if you missed this during the first install without harm.
Click Next to start the installation
Running CYGWIN to generate a Certificate Signing Request (CSR)
Double-click the Cygwin icon on the desktop.
A command window opens with a UNIX bash environment.
At the $ prompt, type the following to generate a CSR: openssl req -new -nodes -keyout privateKeyFilename -out certRequestFilename For example: openssl req -new -nodes -keyout private.key -out public.csr Status messages about the private key generation appear. You will be prompted for information such as country name.
When prompted for the Common name, enter the DNS name of the Firebox SSL. The name that you enter will appear in the certificate and must match the name expected by PCs that connect to the Firebox SSL. Thus, if you alias DNS names, you will need to use the alias name instead.
Submit your CSR (public.csr) to an authorized certificate provider such as FreeSSL, Verisign, Thawte. When asked for the type of server that the certificate will be used with, indicate “Apache”.
Example:
Your group name is currently "mkgroup_l_d". This indicates that not
all domain users and groups are listed in the /etc/passwd and
/etc/group files.
See the man pages for mkpasswd and mkgroup then, for example, run
mkpasswd -l -d > /etc/passwd
mkgroup -l -d > /etc/group
This message is only displayed once (unless you recreate /etc/group)
and can be safely ignored.
user@cygwininstall
$ openssl req -new -nodes -keyout privatekey.key -out public.csr
Generating a 1024 bit RSA private key
...............................................................++++++
..++++++
writing new private key to 'privatekey.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington <<<<<<<<< You cannot abbreviate the state name
Locality Name (eg, city) []:Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:watchguard
Organizational Unit Name (eg, section) []:support
Common Name (eg, YOUR name) []:ssl.watchguard.com <This is the chosen DNS Name of your Firebox SSL VPN box and MUST match to function.
Email Address []:info@watchguard.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:P@$$word
An optional company name []:
This will create two files on your PC. In this example public.csr and privatekey.key
Copy them both to your desktop. If you cannot find them, use the windows search to locate them and check the creation dates on these files to ensure they are the ones you just generated.
You can test to see your CSR is correct at
https://www.t-refer.com/support/keygen/index.html#
Click on “Test your CSR”.
Open your public.csr file with Wordpad and copy and paste the contents into the box.
Click Submit –
If valid it will display the info held in the CSR. If it does not, it will show an error at the top of the box indicating what the error is.
|
server domain name: |
|
|
|
|
|
|
|
|
|
|
|
|
WatchGuard |
|
|
|
Close anything you have open and you are ready to go to RapidSSL to submit your CSR
http://www.rapidssl.com/index_ssl.htm
You can use other SSL providers as desired. If you use RadpiSSL for a free certificate, you can renew and repeat the process as a renewal after issuing a free certificate for only $34.
Follow the provider’s process and give them information based on your WHOIS record for your domain. The owner of the domain will have to accept an email from the certificate provider to complete the process.
The certificate provider will want your CSR, so open the file public.csr which was created earlier with wordpad and copy the certificate request.
It will look like the one below.
-----BEGIN CERTIFICATE REQUEST-----
MIIB8DCCAVkCAQAwgZYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
MRAwDgYDVQQHEwdTZWF0dGxlMRcwFQYDVQQKEw5GaXJlYm94U3VwcG9ydDEfMB0G
A1UEAxMWc3NsLmZpcmVib3hzdXBwb3J0LmNvbTEmMCQGCSqGSIb3DQEJARYXaW5m
b0BmaXJlYm94c3VwcG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALW4EOFjhTfadadfxQ+cBDpUihZ/48xbHZAkI9XENsTcXrgQkvivBKS/WDZ1wtuN
5BsZvA866+W/MsDeonoXmvhARqQxJNGGcuJv+3Ol5sdUnMmvlY7DAMX+sQwuUosV
RkbEBHtOzdntWgt7rbx8ffsASDFsdeSEFa4;DG89mgBbAgMBAAGgGTAXBgkqhkiG
9w0BCQcxChMINadfa2NWFhYWEwDQYJKoZIhvcNAQEFBQADgYEAeCYR2BeWwOMuZlwW
uQM6inn31pExDrK1wg4Sote6K3PX0IV+C3JprmZ5nWzrk0xbd9QkxKmsdH8lrjf3
sllioFVJIkrckqJWafdaafZ3xm+0Yoy6x2ujHEQOz+5Ptt//Tj2oBP+npqF9aVFAJVe
8sM672iptxkLdhhAhht+hXIB/aQ=
-----END CERTIFICATE REQUEST-----
When requested you will need to copy and paste this CSR to the provider. Submit this and complete what steps the provider requires.
After this the provider will possibly validate you via phone with a computer calling you, and will email the owner of the domain with an approval request.
Once this is completed so your identity can be validated you will be emailed your signed certificate for your SSL VPN Firebox.
All that is left to do is to take this signed certificate, combine it with your private key (privatekey.key) which we created earlier and submit it to the Firebox SSL VPN.
Not with the email approval completed and possibly a phone authentication. The signed key is emailed to you.
Below is the signed certificate emailed to you.
-----BEGIN CERTIFICATE-----
MIIDeTCCAuKgAwIBAgIDAg9fMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDUwODI1MTgxMDE5WhcN
MDYwOTI1MTgxMDE5WjCB6DELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFnNzbC5maXJl
Ym94c3VwcG9ydC5jb20xPDA6BgNVBAsTM2h0dHBzOi8vc2VydmljZXMuY2hvaWNl
cG9pbnQubmV0L2dldC5qc3A/R1QwMDk0MjE5MzEnMCUGA1UECxMeU2VlIHd3dy5y
YXBpZHNzbC5jb20vY3BzIChjKTA1MTAwLgYDVQQLEydEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChUTSkxHzAdBgNVBAMTFnNzbC5maXJlYm94c3Vw
cG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALW4EOFjhTfad5Rt
xQ+cBDpUihZ/48xbHZAkI9XENsTcXrgQkvivBKS/WDZ1wtuN5BsZvA866+W/MsDe
onoXmvhARqQxJNGGcuJv+3Ol5sdUnMmvlY7DAMX+sQwuUosVRkbEBHtOzdntWgt7
rbx8qFWoiqClkll6dfasdfafaa9mgBbAgMBAAGjgb0wgbowDgYDVR0PAQH/BAQDAgTw
MB0GA1UdDgQWBBQxxyErHi/ZZtmjGVrrJhJK5osbVzA7BgNVHR8ENDAyMDCgLqAs
hipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2dsb2JhbGNhMS5jcmwwHwYD
VR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAIMXN
9p0LuPc2K0XOegIlfMXGA81wEA7Lmgy6916CDOnAQ8Onnz5cVC9GTKtc5hqoeoT5
cY0233/e87vmLY2maXoSgiNlIsagMtv6hMashSxO347muAwBn1nNDRCuq7QvbGXW
zMG1C9SbR+Npf3uxJ2bcSMn2XLm5ILdkCcHBiEY=
-----END CERTIFICATE-----
Now open the file privatekey.key with wordpad and you will see the private key.
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC1uBDhY4U32neUbcUPnAQ6VIoWf+PMWx2QJCPVxDbE3F64EJL4
rwSkv1g2dcLbjeQbGbwPOuvlvzLA3qJ6F5r4QEakMSTRhnLib/tzpebHVJzJr5WO
wwDF/rEMLlKLFUZGxAR7Ts3Z7VoLe628fKhVqIqgpZJZeqdXSgxvPZoAWwIDAQAB
AoGAWFUGF5masdfafgdtgwe+W1/Sd9YC8sx0trVupLjTzGmlLujvo6w5bcvkYh8Dfb3Gk
67a4aBgFW13n54EeebR/RFwPHsVS4CbM142MjJEY+Q4ET19cPkj3wc6j8rml9rUE
L+U+JOJu1EZKTtsbctWy2Edfasfda7dxHzG86E+nP5CJ5ECQQDoV+gCDMWR5aIR
Y1qikzde3Tb86gLfu5jBuoHqW7zWUr3bvVvdHJHiVQ/FVQSBoD65Zv8R/od+Y87E
MD/dXb5JAkEAyDifGLjVmvNWtlFdSUKQMhXE4WgYRZ2b5VeL+CFKzp3zigsCLzTs
re/jsyadcRLfReQ5YngoZjKbPKi2kKiZgwJAAR7LY5ckLLvquCK+gSIsliyC411N
fj6tUeHQVozysCXd/H1BQCOvIGRAmzb5upZHNyWj/TY4+QcKLC//XtXg4QJBAMYD
KWTbt3TM357jjOydBdpiqRl7RzXiD4GbOXQmCMOadna5OGnTX5cNvhU5RU/EqEeI
1C/MQbgAqIIvII6kD10CQHquu3hXqX0M0KAgao8BtFqtjamqFr7j5Bk9EACfmzTB
PoSxx3aW+lCTfgjNh8Do23a7q3JP/NJqi+MvyizCDfM=
-----END RSA PRIVATE KEY-----
You must put these together to complete the key to upload to the Firebox SSL VPN and change the file extension once completed.
So here is what it looks like in a wordpad document put together.
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC1uBDhY4U32neUbcUPnAQ6VIoWf+PMWx2QJCPVxDbE3F64EJL4
rwSkv1g2dcLbjeQbGbwPOuvlvzLA3qJ6F5r4QEakMSTRhnLib/tzpebHVJzJr5WO
wwDF/rEMLlKLFUZGxAR7Ts3Z7VoLe628fKhVqIqgpZJZeqdXSgxvPZoAWwIDAQAB
AoGAWFUGF5mZ20GeGQ+W1/Sd9YC8sx0trVupLjTzGmlLujvo6w5bcvkYh8Dfb3Gk
67a4aBgFW13n54EeebR/RFwPHsVS4CbM142MjJEY+Q4ET19cPkj3wc6j8rml9rUE
L+U+dfdsfg5353afgagafdt346226267dxHzG86E+nP5CJ5ECQQDoV+gCDMWR5aIR
Y1qikzde3Tb86gLfu5jBuoHqW7zWUr3bvVvdHJHiVQ/FVQSBoD65Zv8R/od+Y87E
MD/dXb5JAkEAyDifGLjVmvNWtlFdSUKQMhXE4WgYRZ2b5VeL+CFKzp3zigsCLzTs
re/jsyadcRLfReQ5YngoZjKbPKi2kKiZgwJAAR7LY5ckLLvquCK+gSIsliyC411N
fj6tUeHQVozysCXd/H1BQCOvIGRAmzb5upZHNyWj/TY4+QcKLC//XtXg4QJBAMYD
KWTbt3TM357jjOydBdpiqRl7RzXiD4GbOXQmCMOadna5OGnTX5cNvhU5RU/EqEeI
1C/MQbgAqIIvII6kD10CQHquu3hXqX0M0KAgao8BtFqtjamqFr7j5Bk9EACfmzTB
PoSxx3aW+lCTfgjNh8Do23a7q3JP/NJqi+MvyizCDfM=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDeTCCAuKgAwIBAgIDAg9fMA0GCSqGSIb3DQEBBAUAMFoxCzAJBgNVBAYTAlVT
MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4
IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDUwODI1MTgxMDE5WhcN
MDYwOTI1MTgxMDE5WjCB6DELMAkGA1UEBhMCVVMxHzAdBgNVBAoTFnNzbC5maXJl
Ym94c3VwcG9ydC5jb20xPDA6BgNVBAsTM2h0dHBzOi8vc2VydmljZXMuY2hvaWNl
cG9pbnQubmV0L2dldC5qc3A/dfatgaetDk0MjE5MzEnMCUGA1UECxMeU2VlIHd3dy5y
YXBpZHNzbC5jb20vY3BzIChjKTA1MTAwLgYDVQQLEydEb21haW4gQ29udHJvbCBW
YWxpZGF0ZWQgLSBSYXBpZFNTTChUTSkxHzAdBgNVBAMTFnNzbC5maXJlYm94c3Vw
cG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALW4EOFjhTfad5Rt
xQ+cBDpUihZ/48xbHZAkI9XENsTcXrgQkvivBKS/WDZ1wtuN5BsZvA866+W/MsDe
onoXmvhARqQxJNGGcuJv+3Ol5sfdsfagadY7DAMX+sQwuUosVRkbEBHtOzdntWgt7
rbx8qFWoiqClkll6p1dKDG89mgBbAgMBAAGjgb0wgbowDgYDVR0PAQH/BAQDAgTw
MB0GA1UdDgQWBBQxxyErHi/ZZtmjGVrrJhJK5osbVzA7BgNVHR8ENDAyMDCgLqAs
hipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL2dsb2JhbGNhMS5jcmwwHwYD
VR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAIMXN
9p0LuPc2K0XOegIlfMXGA81wEA7Lmgy6916CDOnAQ8Onnz5cVC9GTKtc5hqoeoT5
cY0233/e87vmLY2maXoSgiNlIsagMtv6hMashSxO347muAwBn1nNDRCuq7QvbGXW
zMG1C9SbR+Npf3uxJ2bcSMn2XLm5ILdkCcHBiEY=
-----END CERTIFICATE-----
Save this file as a text document and close everything. Rename the file extension so it has a .PEM file extension.
(Make sure Windows isn’t hiding “known file extensions” or you won’t be able to change the extension. In a Windows Explorer (not IE) you can make sure these show by going to Tools>Folder Options>View and unchecking “Hide Extensions for known file types”.
Now with the file you are ready to go!
Go to the SSL VPN administration page and you can upload the .PEM file to your Firebox SSL VPN.
Once complete, you must reboot the box. Be sure to make a backup of your configuration once complete so you have this certificate and all your settings backed up in case you need to restore. In most cases this certificate pair CANNOT be replaced without doing the process again and paying again unless you purchased reissue insurance. So secure the .PEM file and the backup file from the Firebox SSL VPN.
