Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I create a DPI-SSL certificate for the purpose of DPI-SSL certificate resigning?

10/14/2021 465 People found this article helpful 206,872 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    SonicWall DPI-SSL is a proxy for SSL connections, acting as a intermediary to provide secure connections between the client PC and the secure website. The SonicWall DPI-SSL accepts the certificate offered by the secure website and re-signs the certificate before sending it to the client's browser. The SonicWall DPI-SSL services is acting as a client when it accepts the secure websites certificate and then acts as a Certificate Authority (CA) when it resigns the websites certificate before sending it to the PC. To establish trust between the client PC and SonicWall DPI-SSL, the SonicWall DPI-SSL CA certificate must be installed in the client's Trusted Root Certification Authorities store.

    Resolution

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


    The SonicWall has two types of certificates

    • Certificate for HTTPS management
      • The self signed certificate for HTTPS management is also called the device certificate.
      • The self signed device certificate can be replaced with a signed device certificate.
      • The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
    • DPI-SSL certificate
      • The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
      • The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
      • In some cases the customer may decide to replace the default DPI-SSL CA certificate.
    • If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.


    Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing

     Image


    What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?

    • You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
      • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.

    • You can create certificates from a private Certificate Authority Server.
      • The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
      • The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
      • The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.


    Generating a Certificate Enrollment Request (CER)   

    1. Navigate to Manage | Appliance | Certificates and click  New signing Request.
      Image

    2. Complete the  Generate Certificate Signing Request form and select Generate.

       NOTE: A minimum of SHA256 and 2048 bits is required.
      Image



    Export the pending Certificate Enrollment Request (CER)

    1. Navigate to System | Certificates and select your certificate pending request Configure button.
    2. Click  Export in your Export Certificate Request Popup.
      Image



    Open the export file with notepad for temporary storage

    Image


    Go to Microsoft CA Server and request a certificate

    1. Request a certificate.
    2. Submit and advanced certificate request.
      Image

    3. Click  advanced certificate request.
      Image



    Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

    1. Paste Certificate Enrollment Request text (from your WordPad file) into the  Saved Request  box.
    2. In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
    3. A Subordinate CA template has certificate re-signing capability.
    4. Do Not use the Web Server template (This template cannot do re-signing).
    5. Click Submit.
      Image




    Download from the Microsoft CA Server and save to a local file

    1. Select the option Download certificate chain.
    2. Save the certificate (the file default name is certnew.p7b, rename if needed).
      Image

       

    Complete the certificate enrollment on SonicWall by uploading the newly issued certificate

    1. Navigate to System | Certificates and select your certificate pending request Configure button.
    2. Browse to new certificate file.
    3. Select file.
    4. Upload file.
      Image




    Import the DPI-SSL CA root certificate to SonicWall

    1. Download and save the CA root certificate.
      Image

    2. Navigate to System | Certificates and select Import.
    3. Browse to CA certificate file.
    4. Select file.
    5. Upload file.
      Image





    View the imported certificate under DPI-SSL | Client SSL


    • The newly installed CA certificate is available for DPI-SSL services.

      Image


       

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.



    The SonicWall has two types of certificates

    • Certificate for HTTPS management
      • The self signed certificate for HTTPS management is also called the device certificate.
      • The self signed device certificate can be replaced with a signed device certificate.
      • The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
    • DPI-SSL certificate
      • The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
      • The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
      • In some cases the customer may decide to replace the default DPI-SSL CA certificate.
    • If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.


    Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing

     Image


    What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?

    • You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
      • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.

    • You can create certificates from a private Certificate Authority Server.
      • The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
      • The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
      • The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.



    Generating a Certificate Enrollment Request (CER)   

    1. Navigate to System | Certificates and click New signing Request.
      Image

    2. Complete the Generate Certificate Signing Request form and select Generate.

      NOTE: A minimum of SHA256 and 2048 bits is required. 
      Image



    Export the pending Certificate Enrollment Request (CER)

    1. Navigate to System | Certificates and select your certificate pending request Configure button.
    2. Click  Export in your Export Certificate Request Popup.
      Image

    Open the export file with notepad for temporary storage
    Image
    Go to Microsoft CA Server and request a certificate

    1. Navigate to Microsoft CA Server and request a certificate.
    2. Request a certificate.
    3. Submit and advanced certificate request.
      Image

    4. Click  advanced certificate request.
      Image



    Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

    1. Paste Certificate Enrollment Request text (from your WordPad file) into the  Saved Request  box.
    2. In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
    3. A Subordinate CA template has certificate re-signing capability.
    4. Do Not use the Web Server template (This template cannot do re-signing).
    5. Click Submit.
      Image



    Download from the Microsoft CA Server and save to a local file

    1. Select the option Download certificate chain.
    2. Save the certificate (the file default name is certnew.p7b, rename if needed).
      Image

       

    Complete the certificate enrollment on SonicWall by uploading the newly issued certificate

    1. Navigate to System | Certificates and select your certificate pending request Configure.
    2. Browse to new certificate file.
    3. Select file.
    4. Upload file.
      Image


    Import the DPI-SSL CA root certificate to SonicWall


    1. Download and save the CA root certificate.
      Image

    2. Navigate to System | Certificates and select Import.
    3. Browse to CA certificate file.
    4. Select file.
    5. Upload file.
      Image





    View the imported certificate under DPI-SSL | Client SSL

    • The newly installed CA certificate is available for DPI-SSL services.
      Image

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > TZ Series > DPI-SSL
    • Firewalls > SonicWall SuperMassive 9000 Series > DPI-SSL
    • Firewalls > NSa Series > Client/Server DPI-SSL
    • Firewalls > NSv Series > Client/Server DPI-SSL

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top