Importing 3rd party certificate fails

I'm trying to import a 3rd party certificate for my firebox but always get an error saying failed to import certificate. I'm following the instructions from but it still fails.
What I've done is the following -

1 Generated CSR using openssl
2 Generated certificate (Sectigo Positive SSL)
3 Tried importing the CA Bundle with root and intermediate certificates to the firebox (fails with general error saying only import failed.)
4 Tried importing the signed certificate from Sectigo (fails with general error saying only import failed.)

Some questions -

There is a note on the WG URL for installing 3rd party certificates that says the following :

If you create a certificate with third-party software such as OpenSSL, the EKU field in the certificate must be populated with the values for TLS Web Server Authentication and TLS Web Client Authentication. These values are required for any web server certificates imported on the Firebox. A CSR generated on the Firebox automatically includes these EKU values.

How can this be done and are there any step by step examples for adding these values to the EKU field? Are these values added when generating the CSR or added when generating the certificate? What specific values need to be inputted?

What is the proper way to import the CA bundle to the firebox? (step by step)

Is there any way I can see more info (logs) about why the CA Bundle and Certificate imports are failing? The general error tells me nothing.

Any help would be greatly appreciated. Thanks


  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @billb0169

    You'll need to import the root and any intermediaries in order one by one to build the certificate chain, if the firewall doesn't have them already. The bundles provided by the CAs aren't always right, or are missing pieces, so the easiest way to do this is to look at the cert in windows using windows' certificate viewer.

    This should let you look at each cert in the chain, and export each one by one.

    Once you have each cert, import the root and intermediaries in order as webserver/other.

    When you're to your certificate, since you created the CSR elsewhere, you'll need to import the public/private key together. The window should look something like:

    ---Begin public key---
    cert data
    ---End public key---
    ---Begin private key---
    private key data
    ---End private key---

    If you're still seeing errors, I'd suggest opening a case by using the support center button on the top right of this page, so that one of our technicians can look at it with you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • edited August 2019

    Do you have a Windows server from which you can generate the CSR? My guess is No, because you are using OpenSSL, but I had to ask. I always do mine from a Windows server, then export it from the server as a PFX file with the private key. With a PFX file and included private key, it is a simple import to a Firebox. Using a PFX includes the other needed certs.

    Gregg Hill

  • Thanks for your feedback guys. Just one additional question. How do you know what is the correct order for deploying the Intermediate and Root certs?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hill @billb0169

    You can use the windows cert viewer (look in the certification path tab.)

    (See here)

    You can then copy each one to a file by itself by clicking view certificate, then going to details, then copy to file. (Choose the Base-64 encoded x509 .cer type.)

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thanks James. I'll give it a shot.

  • I think it's root first, then any intermediates in order of closest-to-root to down to furthest-from-root, then your cert. Most certs I have seen only have one intermediate, but I have a few with two intermediates.

    Gregg Hill

  • Thanks Gregg!

  • If you have the PFX option, DO IT. Super easy to import!

    Gregg Hill

Sign In to comment.