How can I create a DPI-SSL certificate for the purpose of DPI-SSL certificate resigning?
03/26/2020 
453 
20407
DESCRIPTION:
SonicWall DPI-SSL is a proxy for SSL connections, acting as a intermediary to provide secure connections between the client PC and the secure website. The SonicWall DPI-SSL accepts the certificate offered by the secure website and re-signs the certificate before sending it to the client's browser. The SonicWall DPI-SSL services is acting as a client when it accepts the secure websites certificate and then acts as a Certificate Authority (CA) when it resigns the websites certificate before sending it to the PC. To establish trust between the client PC and SonicWall DPI-SSL, the SonicWall DPI-SSL CA certificate must be installed in the client's Trusted Root Certification Authorities store.
RESOLUTION:
The SonicWall has two types of certificates
- Certificate for HTTPS management
- The self signed certificate for HTTPS management is also called the device certificate.
- The self signed device certificate can be replaced with a signed device certificate.
- The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
- DPI-SSL certificate
- The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
- The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
- In some cases the customer may decide to replace the default DPI-SSL CA certificate.
- If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing
What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?
- You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
- Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
- You can create certificates from a private Certificate Authority Server.
- The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
- The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
- The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Generating a Certificate Enrollment Request (CER)
- Navigate to Manage | Appliance | Certificates and click New signing Request.
- Complete the Generate Certificate Signing Request form and select Generate.
NOTE: A minimum of SHA256 and 2048 bits is required.
Export the pending Certificate Enrollment Request (CER)
- Navigate to System | Certificates and select your certificate pending request Configure button.
- Click Export in your Export Certificate Request Popup.
Open the export file with notepad for temporary storage
Go to Microsoft CA Server and request a certificate
- Request a certificate.
- Submit and advanced certificate request.
- Click advanced certificate request.
Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example
- Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
- In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
- A Subordinate CA template has certificate re-signing capability.
- Do Not use the Web Server template (This template cannot do re-signing).
- Click Submit.
Download from the Microsoft CA Server and save to a local file
- Select the option Download certificate chain.
- Save the certificate (the file default name is certnew.p7b, rename if needed).
Complete the certificate enrollment on SonicWall by uploading the newly issued certificate
- Navigate to System | Certificates and select your certificate pending request Configure button.
- Browse to new certificate file.
- Select file.
- Upload file.
Import the DPI-SSL CA root certificate to SonicWall
- Download and save the CA root certificate.
- Navigate to System | Certificates and select Import.
- Browse to CA certificate file.
- Select file.
- Upload file.
View the imported certificate under DPI-SSL | Client SSL
- The newly installed CA certificate is available for DPI-SSL services.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
The SonicWall has two types of certificates
- Certificate for HTTPS management
- The self signed certificate for HTTPS management is also called the device certificate.
- The self signed device certificate can be replaced with a signed device certificate.
- The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
- DPI-SSL certificate
- The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
- The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
- In some cases the customer may decide to replace the default DPI-SSL CA certificate.
- If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing
What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?
- You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
- Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
- You can create certificates from a private Certificate Authority Server.
- The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
- The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
- The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Generating a Certificate Enrollment Request (CER)
- Navigate to System | Certificates and click New signing Request.
- Complete the Generate Certificate Signing Request form and select Generate.
NOTE: A minimum of SHA256 and 2048 bits is required.
Export the pending Certificate Enrollment Request (CER)
- Navigate to System | Certificates and select your certificate pending request Configure button.
- Click Export in your Export Certificate Request Popup.
Open the export file with notepad for temporary storage
Go to Microsoft CA Server and request a certificate
- Navigate to Microsoft CA Server and request a certificate.
- Request a certificate.
- Submit and advanced certificate request.
- Click advanced certificate request.
Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example
- Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
- In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
- A Subordinate CA template has certificate re-signing capability.
- Do Not use the Web Server template (This template cannot do re-signing).
- Click Submit.
Download from the Microsoft CA Server and save to a local file
- Select the option Download certificate chain.
- Save the certificate (the file default name is certnew.p7b, rename if needed).
Complete the certificate enrollment on SonicWall by uploading the newly issued certificate
- Navigate to System | Certificates and select your certificate pending request Configure.
- Browse to new certificate file.
- Select file.
- Upload file.
Import the DPI-SSL CA root certificate to SonicWall
- Download and save the CA root certificate.
- Navigate to System | Certificates and select Import.
- Browse to CA certificate file.
- Select file.
- Upload file.
View the imported certificate under DPI-SSL | Client SSL
- The newly installed CA certificate is available for DPI-SSL services.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
