We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure PKI Certificates

  • Last updated on

To create a PKI certificate, use a predefined template or specify custom settings. Certificate templates can also be added and edited. You can also export and import certificates.

 In this article:

Before you Begin

Before creating your Barracuda NG Control Center PKI certificates, you must create and configure the PKI service. For more information, see How to Configure the PKI Service.

Create a Certificate

  1. Click the PKI tab.
  2. Click Lock.
  3. Click Create Certificate.
  4. In the Create Certificate window, specify the general settings for the certificate:
    • Signing CA – Select the certificate authority that must sign the new certificate.
    • CA Sign Password – The password required for the CA signature. If you do not enter a password, a request is created instead of a certificate.
    • Template – Select a predefined template that you can edit to create the certificate.
  5. From the General Settings, Subject, and V3 Extensions tabs, you can edit additional certificate settings. For more information about these settings, see PKI Certificate Settings.

Configure a Certificate Template

You can add a new template or edit an existing template.

  1. Click the PKI tab.
  2. Click Lock.
  3. Click Edit Templates.
  4. To edit an existing template:
    1. From the Select Template list, select the required template.
      From the General Settings, Subject, and V3 Extensions tabs, edit the template settings. For more information about these settings, see PKI Certificate Settings.
    2. Click Save Template.
  5. To add a new certificate template:
    1. In the Select Template field, enter a name for the new template
    2. From the General Settings, Subject, and V3 Extensions tabs, edit the template settings. For more information about these settings, see PKI Certificate Settings. 
    3. Click Save Template.

Try to avoid deleting predefined templates. A predefined template can only be restored by deleting and recreating the PKI service. When you delete the PKI service, all PKI certificates are also deleted.

Import a Certificate

  1. Click the PKI tab.
  2. Click Lock.
  3. Click Import Certificate.
  4. In the Import Certificate window, select the required certificate and enter the certificate password.
  5. Click Import. The PKI reloads the certificates automatically. If available, an end-user certificate is added to the signing certificate.

Export a Certificate

  1. Click the PKI tab.
  2. Click Lock.
  3. Right-click the certificate and select Export Certificate.
  4. In the Export Certificate window, select the export format and private key.
  5. Click Save to File.

View and Manage Certificates

On the PKI page, the certificates are listed in a hierarchical tree. The top level shows all root certificates that need to be certificate authorities. Additionally, there are the box certificates to get information about all the Barracuda NG Firewalls that are managed by the Barracuda NG Control Center. This information is generated automatically when the PKI service is started. By default, the common name of each certificate is displayed. To display the full subject of each certificate, right-click a root node and select Show Full Subject. Each CA node contains four subdirectories:

  • Valid – Contains all valid certificates that have not expired.
  • Pending – Contains all unsigned certificate requests.
  • Expired – Contains all expired certificates.
  • Revoked – Contains all certificates that have been revoked by the administrator. 

The following table provides instructions on how to manage the certificates, requests, and private keys in the subdirectories of each CA node:


View Certificate Settings

Right-click the certificate and select View Certificate. In the View Certificate window, all of the certificate settings are displayed.

Revoke a Certificate

In the Valid folder, right-click the certificate and select Revoke Certificate. When prompted, enter the parent CAs Sign Password. The revoked certificate is moved to the Revoked folder.

Delete a Request

In the Pending directory, right-click the request and select Delete Request. Click Yes.

Approve a Request

Right-click the request and select Approve Request. A window opens and displays the values of the request. Enter the sign password of the CA.

Export a Private Key from a Certificate

Right-click the certificate and select Export Private Key. In the Export Private Key window, select an export format. You can save the private key to a file or the clipboard.

For exporting to clipboard only PEM format is allowed since DER is a binary format.

Export a CRL

A Certificate Revokation List (CRL) is a list of client certificates that were revoked before they expired. To export a CRL, right-click the CA and select Export CRL. In the Export CRLwindow, select an export format. Enter the CA password and how many days the CRL is valid.You can save the CRL to a file, clipboard, or distribution points.

The distribution points are on the ldap server as configured in the PKI service configuration and the local http server of the CC box. The CRL is accessible at:






To grant access to the local http server, create a local redirect rule for the Barracuda NG Control Center.

Search a Certificate

Right-click the certificate and select Search Certificate. In the Search Certificate window, enter your search criteria. For example, if you enter lient in the Common Name field, all certificates containing this string in the common name will be found. Certificates that contain words such as Client, Client, or MILIENT are listed in your search results. To step through all the certificates in your search results, press F3.
Last updated on