Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I enable client Certificate check for HTTPS management on the SonicWall?

10/14/2021 57 People found this article helpful 210,229 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    To further secure the HTTPS access of the SonicWall management GUI, in addition to the username/password authentication, system administrators can enable Client Certificate Check.

    The SonicWall Client Certificate Check was developed for use with a Common Access Card (CAC). However, it can be used to enforce a client certificate on any HTTPS management request. The difference being, with a CAC the client certificate is automatically installed on the browser and without a CAC the client certificate must be manually imported into the browser.

    This article describes how to enable Client Certificate Check in the SonicWall and how to import a client certificate into the web browser.

    Resolution


    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


    SonicWall configuration

    1. Login to the SonicWall management GUI.
    2. Navigate to Manage | Appliance | Certificates.
    3. Import the certificate to be used for management.
    4. Navigate to Manage | Appliance | Base Settings page.
    5. Under Web Management settings, enable check box Enable Client Certificate check.
    6. The Client Certificate Issuer drop-down menu contains a list of the Certification Authority (CA) certificates that are available in the SonicWall certificate store. If the appropriate CA is not in the list, you need to import that CA into the SonicWall security appliance.\
    7. Enabling the Enable OCSP Checking check box enables Online Certificate Status Protocol (OCSP) to verify that the client certificate is still valid and has not been revoked.
    8. The OCSP Responder URL field is optional; only to be filled-in if an OCSP URL is not embedded within the certificate.
    9. Click Accept.
    10. The following screenshots show an internal CA certificate being imported before setting that certificate as Client Certificate Issuer for client certificate check. ImageImageImage

    11. When a web browser tries to access the SonicWall HTTPS management without an appropriate certificate, the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is not found, the SonicWall refuses the connection and the browser displays a standard page cannot be displayed message.


     CAUTION: When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance.

    • Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
    • Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
    • Enable OCSP Checking is enabled, but either the OCSP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OCSP server.

    The following CLI commands restore access to a user who is locked out. These commands must be issued within the configuration mode and after logging into the CLI.
     

    > administration //enter the administration console
    > no web-management client-certificate-check // disable client certificate check
    > commit //apply changes  

    > exit


    If the problem is due to OCSP then issue the following commands to disable OCSP checking alone, without disabling client certificate check. If client certificate check is disabled, the option to enable or disable OCSP is not available to the user. 
     

    > no web-management ocsp-check  // disable OCSP checking
    > commit //apply changes  

    > exit


    Import client certificate into a web browser

    The following points must be kept in mind before importing the client certificate into a browser.

    • The certificate must be signed by the same CA selected for client certificate checking in the SonicWall Administration page.
    • The certificated must be in a container along with its private key, and optionally the CA certificate. For example, .p12 or .pfx extensions.
    • If the CA certificate is not part of the container then it must be separately imported.

    The following screenshots show a certificate with .pfx extension and its CA certificate being imported into the Firefox browser:

    ImageImage

    Image

    Image

    Image


    Image

    Image

    Image

    Image
    Log into the SonicWall

    Image

    Image



    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.




    SonicWall configuration

    1. Login to the SonicWall management GUI.
    2. Navigate to the System | Administration page.
    3. Under Web Management settings, enable check box Enable Client Certificate Check.
    4. The Client Certificate Issuer drop-down menu contains a list of the Certification Authority (CA) certificates that are available in the SonicWall certificate store. If the appropriate CA is not in the list, you need to import that CA into the SonicWall security appliance.
    5. Enabling the Enable OCSP Checking check box enables Online Certificate Status Protocol (OCSP) to verify that the client certificate is still valid and has not been revoked.
    6. The OCSP Responder URL field is optional; only to be filled-in if an OCSP URL is not embedded within the certificate.
    7. Click  Accept.
    8. The following screenshots show an internal CA certificate being imported before setting that certificate as Client Certificate Issuer for client certificate check.Image Image Image

    9. When a web browser tries to access the SonicWall HTTPS management without an appropriate certificate, the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is not found, the SonicWall refuses the connection and the browser displays a standard page cannot be displayed message.


    CAUTION: When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance.

    • Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
    • Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
    • Enable OCSP Checking is enabled, but either the OCSP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OCSP server.

    The following CLI commands restore access to a user who is locked out. These commands must be issued within the configuration mode and after logging into the CLI.
     

    > administration //enter the administration console
    > no web-management client-certificate-check // disable client certificate check
    > commit //apply changes 

    > exit


    If the problem is due to OCSP then issue the following commands to disable OCSP checking alone, without disabling client certificate check. If client certificate check is disabled, the option to enable or disable OCSP is not available to the user. 
     

    > no web-management ocsp-check  // disable OCSP checking
    > commit //apply changes 

    > exit


    Import client certificate into a web browser

    The following points must be kept in mind before importing the client certificate into a browser.

    • The certificate must be signed by the same CA selected for client certificate checking in the SonicWall Administration page.
    • The certificated must be in a container along with its private key, and optionally the CA certificate. For example, .p12 or .pfx extensions.
    • If the CA certificate is not part of the container then it must be separately imported.

    The following screenshots show a certificate with .pfx extension and its CA certificate being imported into the Firefox browser:

    ImageImage

    Image

    Image

    Image


    Image

    Image

    Image

    Image

    Log into the SonicWall

    Image
    Image

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > NSa Series > Firewall Management
    • Firewalls > TZ Series > Firewall Management UI
    • Firewalls > NSa Series > Command Line Interface
    • Firewalls > TZ Series > Command Line Interface - CLI

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top