How to renew the WatchGuard default self signed web certificate


Working with a client’s WatchGuard XTM firewall recently I was asked to resolve an issue with the web certificate. The self signed default certificate had expired.

In this post I walk through the steps to renew the default web certificate on a WatchGuard XTM device.

Prior to making any configuration changes always make a backup of the current configuration.

1. Connect to the WatchGuard System Manager, Open Policy Manager, select File, Save, As File.watchguard-file-save-as-fileI like to save the changes in the following format: 20161113-cjg-1-clientXTM515.


This allows you to make multiple configuration backups in a single day and sort them very easily.

2. In WatchGuard System Manager you can see the two highlighted certificates that have expired below.watchguard-certificate-expired

3. In Policy Manager, select the Setup menu, Authentication, Web Server Certificate.watchguard-policy-manager-setup-authentication-web-server-certificate

4. Change the settings from the Default certificate signed by Firebox, see below.watchguard-policy-manager-setup-authentication-web-server-certificate-default-certificate-signed-by-firebox

To Custom certificate signed by FIrebox. Enter test for the Common Name, Organization Name and Organization Unit Name as below, click OK.watchguard-policy-manager-setup-authentication-web-server-certificate-custom-certificate-signed-by-firebox

5. Save the configuration to the Firebox (and configuration file as part of the process).watchguard-file-save-to-firebox

7. You can now see you have a valid certificate with the details o=test CA ou=test cn=test: Valid.watchguard-certificates-o-test-ou-test-cn-test

8. In Policy Manager go back to the Setup menu, Authentication, Web Server Certificate. Select Default certificate signed by Firebox, click OK and save the configuration to the firebox again.watchguard-policy-manager-setup-authentication-web-server-certificate-default-certificate-signed-by-firebox

9.Your WatchGuard device will now have a new self signed certificate. watchguard-certificate-valid

Related Posts:

1. How to install Exchange 2016 (CU3 and beyond) on Windows Server 2016

2. Office365 PowerShell: How to the find out mailbox sizes in Office365 (and Exchange 2016) using PowerShell

3. WatchGuard: How to resolve “Response denied by WatchGuard HTTP Proxy – Reason: header-line too large

4. Dell PERC: How to clear the foreign configuration on a HDD using the Raid Configuration Utility

2 thoughts on “How to renew the WatchGuard default self signed web certificate

  1. pat

    Thanks for this walk through. I used it successfully to upgrade the default certs in v11.x to the new SHA256 key in v12 as per watchguards recommendations in the release notes sept 9, 2017.

  2. Richard

    Thanks for your guide- I use ConnectWise integration and expired certificates are one of the issues that are raised by integration, and I couldn’t find a way to remove the expired self-signed one until now.

Comments are closed.