Extract private keys from Watchguard Firebox

dregan88 · March 10, 2025, 11:10am

Hey Everyone!

We took over a client recently that has a Firebox. All 80 employees are configured to VPN directly to the WG using IKE. The previous MSP deployed certificates to all PCs required for authentication.

We are looking at upgrading the firewalls but want minimal impact to users. We were hoping to be able to export the full private/public key pair from the WG but it does not look like its possible. We are able to export the public keys through the interface but cannot get access to the private ones.

Has anyone had any experience in trying to get both private and public keys out of a firebox?

xtc46 · March 10, 2025, 11:10am

And if you CAN extract the private key, you should probably use another device because that’s absolutely stupid.

underwear11 · March 10, 2025, 11:10am

This. If you could extract the private jet from the device, sunriver rise could have as well. That makes it potentially compromised and should be destroyed.

Corn-traveler · March 10, 2025, 11:10am

This is the answer. You will want to download the new certificate and deploy it to computers using your RMM before you change out the firebox.