Renew Third Party Cert

When trying to upload my new third party cert as a .pem file to replace the expiring cert on my firebox, I receive the error "the certificate already exists".
Thinking it was a naming issue I imported the root cert in Windows, then exported it as a Base-64 encoded X.509 .cer file and renamed it.

Same error, file already exists when importing into the FB.

Do I need to delete the current third party cert before I can upload the new one?
That doesn't seem right.
I assumed I could import the new cert and go into Policy Manager > Setup > Certificates > Web Server and choose the new cert from the drop down menu and make it the active FB web cert.

The CSR was originally generated from the FB so no worry about importing the certificate chain in the correct order.

I'm missing something.

Thanks,

  • Doug

It's usually something simple.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator
    You may need to de-select the cert to be able to replace it. The firewall won't allow the cert it's currently using to be touched.

    Go to Setup -> Certificates in policy manager, or System -> Certificates in WebUI.
    -Click the firebox web server certificate tab.
    -Change the option selected to the top option (firebox generated) and save.
    -Try uploading the certificate now.
    -Go back to Setup -> Certificates, and change back to the new one.

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    Well, that sounded like a great solution, but didn't work.

    I'll wait until off hours and remove the current cert and try adding the new one.

    Don't want to kick anyone off the VPN or Access Portal while I play with the certs.

    I'll let you know if that works, and if not maybe open a ticket.

    Thanks,

    • Doug

    It's usually something simple.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @shaazaminator Thanks for the follow up.

    There's likely something different in the certificate then -- I'd need to compare them side by side to see if that's the case.

    If the issue persists, please let me know what your case number ends up being and I can make sure it ends up in the right place.

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    I created a case #01642911 after failing to get the cert to upload.

    Thanks for helping!

    • Doug

    It's usually something simple.

  • After deleting the existing cert, and still failing to install the new cert, I generated a new CSR, and re-keyed the cert.

    The re-keyed cert installed fine. Not certain why the renewed cert didn't' install and I had to re-key it, but that's the way the pickle squirts sometimes. :-)

    • Doug

    It's usually something simple.

Sign In to comment.