en-US
search-icon

Knowledge Base

How to create a DPI-SSL certificate for the purpose of DPI-SSL certificate resigning

Description

SonicWall DPI-SSL is a proxy for SSL connections, acting as a intermediary to provide secure connections between the client PC and the secure website. The SonicWall DPI-SSL accepts the certificate offered by the secure website and re-signs the certificate before sending it to the client's browser. The SonicWall DPI-SSL services is acting as a client when it accepts the secure website's certificate and then acts as a Certificate Authority (CA) when it resigns the website's certificate before sending it to the PC. To establish trust between the client PC and SonicWall DPI-SSL, the SonicWall DPI-SSL CA certificate must be installed in the client's Trusted Root Certification Authorities store.

Resolution

The SonicWall has two types of certificates:

  • Certificate for HTTPS management
    • The self signed certificate for HTTPS management is also called the device certificate
    • The self signed device certificate can be replaced with a signed device certificate
    • The HTTPS management certificate is unrelated to the DPI-SSL CA certificat
  • DPI-SSL certificate
    • The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL
    • The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
    • In some cases the customer may decide to replace the default DPI-SSL CA certificate
  • If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

 

Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing

 Image

 

What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?

  • You cannot request a DPI-SSL CA certificate from a commercial certificate authority
    • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
  • You can create certificates from a private Certificate Authority Server
    • The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
    • The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
    • The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

 

 

Requesting a DPI-SSL certificate from a Microsoft CA Server

Step 1: Generating a Certificate Enrollment Request (CER)
Step 2: Export the pending Certificate Enrollment Request (CER)
Step 3: Open the export file and copy to WordPad for temporary storage (save to a file)
Step 4: Go to Microsoft CA Server and request a certificate
Step 5: Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example.
Step 6: Download from the Microsoft CA Server and save to a local file
Step 7: Complete the certificate enrollment on SonicWall by uploading the newly issued certificate
Step 8: Import the DPI-SSL CA root certificate to SonicWall
Step 9: View the imported certificate under DPI-SSL | Client SSL


Step 1: Generating a Certificate Enrollment Request (CER)
   

  • Go to System | Certificates and click on New signing Request

    Image



  • Complete the "Generate Certificate Signing Request" form and select Generate

    NOTE: A minimum of SHA256 and 2048 bits is required.

    Image

     

 

Step 2: Export the pending Certificate Enrollment Request (CER)

  • Go to System | Certificates and select your certificate pending request "Configure" button
  • Click on Export in your Export Certificate Request popup



Image




Step 3: Open the export file with notepad for temporary storage

Image

Step 4: Go to Microsoft CA Server and request a certificate

 

 

  • Request a certificate
  • Submit and advanced certificate request

    Image

Click on advanced certificate request

 

Image


 
Step 5: Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example.

 

  • Paste Certificate Enrollment Request text (from your WordPad file) into the  Saved Request  box
  • In the Certificate Template drop down menu, select the "Subordinate Certification Authority" template
  • A Subordinate CA template has certificate re-signing capability
  • Do Not use the "Web Server" template (This template cannot do re-signing)
  • Click Submit


 

Image

 

 


Step 6: Download from the Microsoft CA Server and save to a local file

 

  • Select the option "Download certificate chain"
  • Save the certificate (the file default name is certnew.p7b, rename if needed)


    Image

     

Step 7: Complete the certificate enrollment on SonicWall by uploading the newly issued certificate

  • Go to System | Certificates and select your certificate pending request "Configure" button
  • Browse to new certificate file
  • Select file
  • Upload file

    Image

Step 8: Import the DPI-SSL CA root certificate to SonicWall

 

  • Download and save the CA root certificate

    Image


  • Go to System | Certificates and select Import
  • Browse to CA certificate file
  • Select file
  • Upload file

     
    Image




Step 9: View the imported certificate under DPI-SSL | Client SSL

 

  • The newly installed CA certificate is available for DPI-SSL services

    Image



     

Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

The SonicWall has two types of certificates:

  • Certificate for HTTPS management
    • The self signed certificate for HTTPS management is also called the device certificate
    • The self signed device certificate can be replaced with a signed device certificate
    • The HTTPS management certificate is unrelated to the DPI-SSL CA certificat
  • DPI-SSL certificate
    • The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL
    • The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
    • In some cases the customer may decide to replace the default DPI-SSL CA certificate
  • If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

 

Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing

 Image

 

What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?

  • You cannot request a DPI-SSL CA certificate from a commercial certificate authority
    • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
  • You can create certificates from a private Certificate Authority Server
    • The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
    • The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
    • The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

 

 

Requesting a DPI-SSL certificate from a Microsoft CA Server

Step 1: Generating a Certificate Enrollment Request (CER)
Step 2: Export the pending Certificate Enrollment Request (CER)
Step 3: Open the export file and copy to WordPad for temporary storage (save to a file)
Step 4: Go to Microsoft CA Server and request a certificate
Step 5: Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example.
Step 6: Download from the Microsoft CA Server and save to a local file
Step 7: Complete the certificate enrollment on SonicWall by uploading the newly issued certificate
Step 8: Import the DPI-SSL CA root certificate to SonicWall
Step 9: View the imported certificate under DPI-SSL | Client SSL


Step 1: Generating a Certificate Enrollment Request (CER)
   

  • Go to Manage | Appliance | Certificates and click on New signing Request

    Image



  • Complete the "Generate Certificate Signing Request" form and select Generate

    NOTE: A minimum of SHA256 and 2048 bits is required.


    Image

     

 

Step 2: Export the pending Certificate Enrollment Request (CER)

  • Go to System | Certificates and select your certificate pending request "Configure" button
  • Click on Export in your Export Certificate Request popup



Image




Step 3: Open the export file with notepad for temporary storage

Image

Step 4: Go to Microsoft CA Server and request a certificate

 

 

  • Request a certificate
  • Submit and advanced certificate request

    Image

Click on advanced certificate request

 

Image


 
Step 5: Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example.

 

  • Paste Certificate Enrollment Request text (from your WordPad file) into the  Saved Request  box
  • In the Certificate Template drop down menu, select the "Subordinate Certification Authority" template
  • A Subordinate CA template has certificate re-signing capability
  • Do Not use the "Web Server" template (This template cannot do re-signing)
  • Click Submit


 

Image

 

 


Step 6: Download from the Microsoft CA Server and save to a local file

 

  • Select the option "Download certificate chain"
  • Save the certificate (the file default name is certnew.p7b, rename if needed)


    Image

     

Step 7: Complete the certificate enrollment on SonicWall by uploading the newly issued certificate

  • Go to System | Certificates and select your certificate pending request "Configure" button
  • Browse to new certificate file
  • Select file
  • Upload file

    Image

Step 8: Import the DPI-SSL CA root certificate to SonicWall

 

  • Download and save the CA root certificate

    Image


  • Go to System | Certificates and select Import
  • Browse to CA certificate file
  • Select file
  • Upload file

     
    Image




Step 9: View the imported certificate under DPI-SSL | Client SSL

 

  • The newly installed CA certificate is available for DPI-SSL services

    Image