How can I create a DPI-SSL certificate for the purpose of DPI-SSL certificate resigning?
08/17/2021 
453 
21551
DESCRIPTION:
SonicWall DPI-SSL is a proxy for SSL connections, acting as a intermediary to provide secure connections between the client PC and the secure website. The SonicWall DPI-SSL accepts the certificate offered by the secure website and re-signs the certificate before sending it to the client's browser. The SonicWall DPI-SSL services is acting as a client when it accepts the secure websites certificate and then acts as a Certificate Authority (CA) when it resigns the websites certificate before sending it to the PC. To establish trust between the client PC and SonicWall DPI-SSL, the SonicWall DPI-SSL CA certificate must be installed in the client's Trusted Root Certification Authorities store.
RESOLUTION:
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
The SonicWall has two types of certificates
- Certificate for HTTPS management
- The self signed certificate for HTTPS management is also called the device certificate.
- The self signed device certificate can be replaced with a signed device certificate.
- The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
- DPI-SSL certificate
- The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
- The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
- In some cases the customer may decide to replace the default DPI-SSL CA certificate.
- If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing
What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?
- You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
- Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
- You can create certificates from a private Certificate Authority Server.
- The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
- The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
- The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Generating a Certificate Enrollment Request (CER)
- Navigate to Manage | Appliance | Certificates and click New signing Request.
- Complete the Generate Certificate Signing Request form and select Generate.
NOTE: A minimum of SHA256 and 2048 bits is required.
Export the pending Certificate Enrollment Request (CER)
- Navigate to System | Certificates and select your certificate pending request Configure button.
- Click Export in your Export Certificate Request Popup.
Open the export file with notepad for temporary storage
Go to Microsoft CA Server and request a certificate
- Request a certificate.
- Submit and advanced certificate request.
- Click advanced certificate request.
Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example
- Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
- In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
- A Subordinate CA template has certificate re-signing capability.
- Do Not use the Web Server template (This template cannot do re-signing).
- Click Submit.
Download from the Microsoft CA Server and save to a local file
- Select the option Download certificate chain.
- Save the certificate (the file default name is certnew.p7b, rename if needed).
Complete the certificate enrollment on SonicWall by uploading the newly issued certificate
- Navigate to System | Certificates and select your certificate pending request Configure button.
- Browse to new certificate file.
- Select file.
- Upload file.
Import the DPI-SSL CA root certificate to SonicWall
- Download and save the CA root certificate.
- Navigate to System | Certificates and select Import.
- Browse to CA certificate file.
- Select file.
- Upload file.
View the imported certificate under DPI-SSL | Client SSL
- The newly installed CA certificate is available for DPI-SSL services.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
The SonicWall has two types of certificates
- Certificate for HTTPS management
- The self signed certificate for HTTPS management is also called the device certificate.
- The self signed device certificate can be replaced with a signed device certificate.
- The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
- DPI-SSL certificate
- The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
- The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
- In some cases the customer may decide to replace the default DPI-SSL CA certificate.
- If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing
What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?
- You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
- Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
- You can create certificates from a private Certificate Authority Server.
- The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
- The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
- The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.
Generating a Certificate Enrollment Request (CER)
- Navigate to System | Certificates and click New signing Request.
- Complete the Generate Certificate Signing Request form and select Generate.
NOTE: A minimum of SHA256 and 2048 bits is required.
Export the pending Certificate Enrollment Request (CER)
- Navigate to System | Certificates and select your certificate pending request Configure button.
- Click Export in your Export Certificate Request Popup.
Open the export file with notepad for temporary storage
Go to Microsoft CA Server and request a certificate
- Navigate to Microsoft CA Server and request a certificate.
- Request a certificate.
- Submit and advanced certificate request.
- Click advanced certificate request.
Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example
- Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
- In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
- A Subordinate CA template has certificate re-signing capability.
- Do Not use the Web Server template (This template cannot do re-signing).
- Click Submit.
Download from the Microsoft CA Server and save to a local file
- Select the option Download certificate chain.
- Save the certificate (the file default name is certnew.p7b, rename if needed).
Complete the certificate enrollment on SonicWall by uploading the newly issued certificate
- Navigate to System | Certificates and select your certificate pending request Configure.
- Browse to new certificate file.
- Select file.
- Upload file.
Import the DPI-SSL CA root certificate to SonicWall
- Download and save the CA root certificate.
- Navigate to System | Certificates and select Import.
- Browse to CA certificate file.
- Select file.
- Upload file.
View the imported certificate under DPI-SSL | Client SSL
- The newly installed CA certificate is available for DPI-SSL services.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
