Custom DPI-SSL certificate generation and re-signing for expired DPI-SSL certificates on SonicOS 7.0.1

Description

The default DPI SSL Client SonicWall certificate available for Firmware version 7.0.1-XXXX will expire on the 15thJanaury 2026. Customers are suggested to upgrade the firmware to 7.3.1-XXXX or implement the suggested workaround in this article.

 

Resolution

Workaround for SonicOS 7.0.1-XXXX

 

The suggested workaround below is for customers using SonicOS 7.0.1-XXXX firmware and are not willing/unable to upgrade to the firmware version 7.3.1-XXX and above.

Customers must switch to custom DPI SSL Certificate due to the expiry date (15th-Jan-2026 ) of the default DPI SSL Certificate.

 

Options for customers who choose to replace the expired Default SonicWall DPI-SSL CA certificate:

  • Customers cannot request a DPI-SSL CA certificate from a commercial certificate authority.
    • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
    • Customers can create certificates from a private Certificate Authority Server.
  • Customers choose to implement their own Certificate Authority servers, such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
    • Customers may choose to replace the SonicWall self-signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
       Note: 
      Customer will have to use strong hash for the certificate.
      Customers must also look after maintainance and Protection of the Server CA
    • Customers may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

 

Generating a Certificate Enrollment Request (CER) 

 

  1. Navigate to Device | Settings | Certificates and click New signing Request.

 NOTE: A minimum of SHA256 and 2048 bits is required and SonicWall recommends use of strong hash  for the certificate.

  1. Complete the Generate Certificate Signing Request form and select Generate.

Export the pending Certificate Enrollment Request (CER)

 

  1. Navigate to Device | Settings | Certificates and select your certificate pending request Configure button.
  2. Click Export in your Export Certificate Request Popup.
  3. Open the export file with notepad for temporary storage

Go to Microsoft CA Server and request a certificate

 

  1. Request a certificate.
  2. Submit and advanced certificate request.


  3. Click advanced certificate request.



Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

 

  1. Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
  2. In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
  3. A Subordinate CA template has certificate re-signing capability.
  4. Do Not use the Web Server template (This template cannot do re-signing).
  5. Click Submit.

 

 


Download from the Microsoft CA Server and save to a local file

 

  1. Select the option Download certificate chain.
  2. Save the certificate (the file’s default name is certnew.p7b, rename if needed as seen in the image).


  3. Download certificate

A green and white rectangleAI-generated content may be incorrect.

  1. Install this certificate in the Trusted root certificate of the computers ( local network ) by following the steps below:

For Chrome/Edge/IE: 

  1. Double clicks on the downloaded certificate
  2. Select Install Certificate
  3. Choose whether to install for the current user or the local machine
  4. Select "Place all certificates in the following store"
  5. Browse and select Trusted Root Certification Authoritiestab
  6. ClickFinish. The Certificate Import Wizard will guide you through importing the certificate.

          

   

Firefox:

  1. Enter in the URL: about:preferences#privacy
  2. Scroll Down under Certificatesand click View Certificates
  3. Click Import
  4. Select the downloaded certificate
  5. Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
  6. Click OK

             Image

 

Mac:

Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

 

Further, you can follow the KB below to know about other methods of distributing the sonicwall DPI SSL Certificate:

https://www.sonicwall.com/support/knowledge-base/various-methods-to-distribute-sonicwall-dpi-ssl-certificate/kA1VN0000000OX50AM\

 

Complete the certificate enrollment on SonicWall by uploading the newly issued certificate chain

 

  1. Navigate to Device | Settings | Certificates and select Import.
  2. Browse to CA certificate chain file.
  3. Select file
  4. Upload file.

    A screenshot of a computer
  5. Firewall will promt for a restart.


 

  1. After rebooting we should be seeing the CSR as Validated, with the intermediate certificate and CA certificate:

 



View the imported certificate under DPI-SSL | Client SSL

 

  • The newly installed CA certificate is available for DPI-SSL services.

  • Once the DPI SSL client has been enabled and we have selected the imported certificate as DPI SSL client certificate. It should be visible when we try to access any website

 

 

Related Articles

  • Cysurance Partner FAQ
    Read More
  • How to apply CFS policies to SAML User Groups using OKTA as IdP?
    Read More
  • How to block ICMP (Ping ) using Application control
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSv Series
Firewalls
SonicWall NSA Series
Firewalls
TZ Series
not finding your answers?
Ask the Community