Dimension Certificate
I have a Dimension server hosted on the cloud. Every time clients access the server the will encounter the certificate warning Site not secure. Can the firebox or dimension self sign its certificate for it to be exported? And can I import it to the clients firebox and web browser to prevent these warning pages?
- Greg Gilbraith
Best Answer
-
Eugene_ WatchGuard Representative
Hello Greg,
Regarding your questions, yes the firebox and dimension self sign certificate can be exported and then imported onto your client computers. Really though you just need to Export the self signed Root CA from the firebox and Dimension server and import those into the client computer's Certificate Store (under Trusted Root Certificate Authorities) to accomplish this goal.
Alternatively you can also get 3rd party Web Server certificates signed by a 3rd party Certificate Authority and import required certs (Root CA, Intermediate and Web Server) onto your Firebox and Dimension Server.
Quick Note on Dimension and Certs: If you do go the 3rd party certificate and do not generate the Certificate Signing Request (CSR) for the cert on the Dimension server, the only way to import the signed certificate will be by using a PFX file.
Cheers,
-- Eugene Torre | Support Engineer
5
Answers
Hello Greg,
The default Dimension web server certificate is generated by the WatchGuard Agent and the certificate's Subject does not include any verifiable information. Your web client would not be able to validate the chain of trust even if you were to add the signing root certificate to your client's CA store.
To get rid of the certificate warning, generate a CSR from Certificate Management tools and get it signed by a public CA. Import the signed certificate into Dimension.
> Hello Greg,
>
> Regarding your questions, yes the firebox and dimension self sign certificate can be exported and then imported onto your client computers. Really though you just need to Export the self signed Root CA from the firebox and Dimension server and import those into the client computer's Certificate Store (under Trusted Root Certificate Authorities) to accomplish this goal.
>
> Alternatively you can also get 3rd party Web Server certificates signed by a 3rd party Certificate Authority and import required certs (Root CA, Intermediate and Web Server) onto your Firebox and Dimension Server.
>
> Quick Note on Dimension and Certs: If you do go the 3rd party certificate and do not generate the Certificate Signing Request (CSR) for the cert on the Dimension server, the only way to import the signed certificate will be by using a PFX file.
>
> Cheers,
>
> -- Eugene Torre | Support Engineer
Just tried to import a cert that I generated outside of the dimension. This doesn't seem to work.
I converted the external cert to a pfx but if I try to import that I get an error "invalid pfx format".
I would be really nice if watch guard would update their install tutorials to reflect what's needed . ..
Import pfx .... But no mention of the actual format that is needed to import ?
Import the pfx export it again as a pfx ...
Smh
Hi @BR0KK85
If importing and exporting made your import work, it's very likely that the original PFX file didn't include an intermediary certificate that IIS then put in the chain when it was exported. Did your file size get larger when it was exported?
If your CA doesn't provide the cert chain in the PFX file, the Dimension server may not trust it, as it won't have the certificate chain (or possibly even the root cert.) I'd suggest asking your CA to provide this in the PFX file.
The Firebox and Dimension need to fully trust a certificate before they will import them to avoid broken, invalid, or certs with other errors from being used.
-James Carson
WatchGuard Customer Support