Re-cycling an SBS 2008 SSL Certificate on a WatchGuard Firewall

I recently rolled out the SSL VPN feature on my WatchGuard M200 Firebox. This will replace the SBS 2008 PPTP VPN for Mobile Users. PPTP is no longer regarded as secure.

The SSL VPN itself works fine, but the SSL Certificate is “self generated” by the Firebox, so users receive a security warning when they connect.

Since my SBS 2008 has an SSL Certificate installed (purchased from GoDaddy), I wondered about re-using this on the Firebox.

My first thought was to visit the GoDaddy web site and download the existing SSL Certificate. However, I soon realised that the Certificate was “tied” to the SBS, and therefore I would not be able to load it into the Firebox “as is”.

The reason for this is that the original Certificate Request was generated on the SBS, and in addition to the Certificate itself, there is also a “matching” Private Key (which stays on the SBS).

In order to load the SSL Certificate onto another host, you need BOTH the Certificate AND the Private Key.

The procedure for doing this is fairly simple:

From the SBS 2008 Console, load up a “Certificates” Snap-In for the “Local Machine”.

180501 Certificates Snap-In 001.jpg

180501 Certificates Snap-In 002.jpg

180501 Certificates Snap-In 003.jpg

Identify the GoDaddy SSL Certificate, and then choose “Export” from the context menu.

My certificate is for ““. This points to the Public WAN Interface of my Network.

Note: This process DOES NOT remove the Certificate from the SBS. We are merely “making a copy” to allow us to upload the Certificate to another host.

180430 Export SSL Certificate 001.jpg

Work through the Export Wizard, and be sure to export the “Private Key” in addition to the Certificate itself.

180430 Export SSL Certificate 002.jpg

180430 Export SSL Certificate 003.jpg

180430 Export SSL Certificate 004.jpg

180430 Export SSL Certificate 005.jpg

Generate a password and make a note of it (you will need it in the next step)!

180430 Export SSL Certificate 006.jpg

180430 Export SSL Certificate 007.jpg

180430 Export SSL Certificate 008.jpg

We now have a “.pfx” file containing both the “Certificate” and matching “Private Key”.

The next step will be performed using the WatchGuard Console.

I recommend you make a backup image of the Firebox before continuing!

Choose “Certificates” from within the System Menu, and then “Import Certificate”.

180501 Certificates Snap-In 020.jpg

180501 Certificates Snap-In 021.jpg

Set the Certificate Type to “PFX”, and choose the “pfx” file you created in the previous step. The password is the one you created above.

Click “Import” when are ready to continue.

180501 Certificates Snap-In 022.jpg

You should receive a confirmation that the certificate has been successfully imported.

The final step is to link the SSL Certificate to the Firebox Web Interface.

180501 Certificates Snap-In 023.jpg

If you wish to test the certificate, you can do that here:

That’s It.

I hope you found this post useful.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s