How to Use and Manage Certificates with the Certificate Manager
The Barracuda Firewall uses the Certificate Manager as a central repository to manage all X.509 certificates on the device. You can create self-signed certificates or upload your own certificates. All certificates are available for all Barracuda Firewall services, as long as they meet the requirements for that service.
Disallow Private Key Download — Selecting this option will lock the private key corresponding to this certificate. Normally, certificates are downloaded in PEM format, which includes the private key and certificate. When a key is locked, the PEM file will only contain the certificate.
Expiration Date — Click the calendar icon to select a date.
For a Client–to–Site VPN connection to a mobile device, set the DNS to the FQDN of the Barracuda Firewall. The FQDN must resolve to the IP address of the VPN service on the Barracuda Firewall.
Add to VPN Certificates — Automatically add this certificate to the list of VPN certificates. You can also manually add the certificate to the VPN certificates later on the VPN > Settings page. Click Save .
Upload a Certificate
You can upload certificates in PEM or PKCS12 files. PEM files can either contain a single certificate or multiple certificates. Multiple PEM files must contain one or more certificates and the private key in order to create a complete chain of trust.
- Go to ADVANCED > Certificate Manager . Click Upload. The Upload Certificate pop-over opens. Enter the Certificate Name Select the Certificate Type to match your certificate file. (optional) If you want to use the certificate for the VPN service, select Add to VPN Certificates . Click Browse to select the Certificate File.
(multiple PEM files) Click Browse to select the Certificate Key File . (optional) Enter a Certificate Password .
(optional) Select Disallow Private Key Download. This action cannot be reversed.
Private keys are not included in the backup. Download the private key and keep it in a safe location.
View a Certificate or Certificate Signing Request (CSR)
- Click Details to see the complete certificate information. Click Lock Key to disable the private key download. This change is permanent. Click Replace Upload to upload a new certificate. You cannot upload a new certificate if the old certificate has already expired. Click Replace Self-Signed to create a new self-signed certificate. You cannot create a new self-signed certificate if the old certificate has already expired. Click Download Certificate to download the certificate in a PEM file. Click Download Key to download the private key in a PEM file. Click Download CSR to download a *.csr file. Submit the CSR to your certificate authority to received signed SSL certificates.
Delete a Certificate
You cannot delete certificates that are in use. Change the certificate for all services listed in the Usage column and then click in the Action column to delete the certificate.
Add Certificates to the VPN Certificates
Certificates that are to be used for the VPN service must be added to the VPN certificates. If you did not select Add to VPN Certificates when creating or uploading the certificates, you can also add it to the VPN Certificates in the VPN Settings. Root CA certificates must be CA certificates.
- Go to VPN > Settings . Select the certificate you want to add from the Local Certificates dropdown and click + .
Select the certificate you want to add from the Root CA Certificates dropdown and click + .
Select the SSL Inspection Certificate
You can only use certificates with the CA option for SSL Inspection.
- Go to FIREWALL > Settings . Verify that Enable SSL Inspection is set to Yes . Select the certificate from the Select Certificates dropdown. Click Save .
Select the SSL Certificate for the Web Interface
- Go to ADVANCED > Secure Administration.
Select the certificate from the Certificate for SSL dropdown. Click Save .