Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How can I obtain certificates for VPN connections (Site to Site, GVC, L2TP)?

10/14/2021 1,195 People found this article helpful 111,057 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    Using digital certificates for authentication instead of Preshared keys in VPNs is considered more secure. In SonicWall UTM devices, digital certificates are one way of authenticating two peer devices to establish an IPSec VPN tunnel. The other is IKE using Preshared key. The KB article describes the method to configure WAN GroupVPN and Global VPN Clients (GVC) to use digital certificates for authentication before establishing an IPSec VPN tunnel.

    Features of IKE Authentication with Certificates in SonicWall WAN GroupVPN and GVC.

    • A digital certificate either obtained from a third party CA (like Verisign) or from a private CA (like Microsoft CA or OpenSSL) must be used for this configuration. Self-signed certificates are not supported.
    • In the SonicWall, the administrator has the option to create a Certificate Signing Request (CSR) and get it signed by a CA or import a signed certificate in the PKCS#12 format (.pfx or .p12 extension). When importing a signed certificate into the GVC client, it must be in the PKCS#12 format (.pfx or .p12 extension).
    • Both peers must trust the issuer of the certificate. In other words, the CA certificate of the user certificate must be imported into the SonicWall as well as the remote GVC client.
    • If a certificate has already been imported into the SonicWall signed by a 3rd party CA (for example, Versign), this can be selected in the WAN GroupVPN. The CA certificate must be imported into the GVC client.
    • SonicWall supports digital certificates issued by different CAs to be imported into the SonicWall UTM device and the remote GVC client. SonicWall also supports forcing both peers to use certificates issued by the same CA.

    Resolution

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    NOTE: The certificate signing process described here is using a Windows Server 2008 CA. To configure a Microsoft CA to accept a Subject Alternative Name attribute from a certificate request, refer this Microsoft article: How to configure a CA to accept a SAN attribute from a certificate request.

    Create a Certificate Signing Request (CSR) in the SonicWall

    1. Login to the SonicWall management GUI.
    2. Navigate to Manage | Appliance | Certificates.
      Image

    3. Click New Signing Request to create a similar CSR as under.
    4. Click Generate to save.
    5. Refresh the page.
      Image

    6. Click  download button to download the CSR.
      Image
      Image

    Obtain a certificate using the Windows Server Certificate Enrollment Web Services

    • Obtain a certificate to use in WAN GroupVPN configuration
    1. Open a browser and navigate to the Microsoft Windows Certificate Enrollment page: http:///CertSrv.
    2. When prompted for authentication, enter username and password of administrator.
    3. Click Request a certificate.
    4. Click advanced certificate request.
    5. Copy the contents of CSR in the Saved Request box.
    6. Select Administrator under Certificate Template.

       NOTE: User or Web Server template also could be selected.

    7. Under Attributes, either enter san:dns=yourdomainname.com or san:email=<local-part@domain.com|.

       TIP: To configure a Microsoft CA to accept a Subject Alternative Name attribute from a certificate request, refer this Microsoft article: How to configure a CA to accept a SAN attribute from a certificate request.

    8. Click  Submit and you will taken to the next page.
    9. On this page click Download certificate or Download certificate chain to save the signed certificate to disk.
      Image
      Image
      ImageImageImage

    10. Below is an example of a signed certificate's Subject Alternative Name (SAN).
      Image

    • Download the CA certificate for the signed certificate.
    1. Navigate to the Microsoft Windows Certificate Enrollment page: http:///CertSrv
    2. Click Download a CA certificate.
    3. On the next page, click Download CA certificate and save the certificate to disk.
      Image
      Image

    4. Upload the signed certificate into the SonicWall via the upload button of the CSR pending request.
      Image
      Image

    5. To establish trust and complete the validation of the signed certificate, import the CA certificate.
      Image
      Image

     


    • Obtain a certificate for GVC clients.
    1. Navigate to the Microsoft Windows Certificate Enrollment page: http:///CertSrv
    2. When prompted for authentication, enter username and password of a Domain User.
    3. Click Request a certificate.
    4. Click advanced certificate request.
    5. Select Administrator or User under Certificate Template.

       NOTE: For Site to Site VPN or GVC, a certificate with Key Usage, if present, must have Digital Signature and/or Non-Repudiation and Extended Key Usage (EKU), if present, with Client Authentication seems to work. If, on the other hand, using L2TP/IPSec VPN, make sure, if Key Usage is present, to use Digital Signature and/or Non-Repudiation. The Extended Key Usage (EKU) field SHOULD NOT be used but, if present, may have Encrypted File System (1.3.6.1.4.1.311.10.3.4)  and/or IP Security End System (1.3.6.1.5.5.8.2.1).

    6. Under Attributes, either enter san:dns=yourdomainname.com or san:email=<local-part@domain.com|. Note: To configure a Microsoft CA to accept a Subject Alternative Name attribute from a certificate request.
    7. Click Submit and you will taken to the next page.
    8. On this page click on Download certificate or Download certificate chain to save the signed certificate to disk.
      Image
      Image
      Image
      Image

    9. The signed certificate will be Installed within the browser.
      Image

    10. Export the certificate with its private key from the browser.
      ImageImage
      Image
      Image
      Image

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

     

     

    Create a Certificate Signing Request (CSR) in the SonicWall

    1. Login to the SonicWall management GUI.
    2. Navigate to System | Certificate page.
    3. Click on New Signing Request to create a similar CSR as under.
    4. Click Generate.
    5. Refresh the page.
    6. Click  download button to download the CSR.
      ImageImageImage

    Obtain a certificate using the Windows Server Certificate Enrollment Web Services

    • Obtain a certificate to use in WAN GroupVPN configuration
    1. Open a browser and navigate to the Microsoft Windows Certificate Enrollment page: http:///CertSrv
    2. When prompted for authentication, enter username and password of administrator.
    3. Click Request a certificate.
    4. Click advanced certificate request.
    5. Copy the contents of CSR in the Saved Request box.
    6. Select Administrator under Certificate Template.

      NOTE: User or Web Server template also could be selected.

    7. Under Attributes, either enter san:dns=yourdomainname.com or san:email=<local-part@domain.com|.

      TIP: To configure a Microsoft CA to accept a Subject Alternative Name attribute from a certificate request, refer this Microsoft article: How to configure a CA to accept a SAN attribute from a certificate request.

    8. Click  Submit and you will taken to the next page.
    9. On this page click on Download certificate or Download certificate chain to save the signed certificate to disk.
      Image
      Image
      ImageImageImage

    10. Below is an example of a signed certificate's Subject Alternative Name (SAN).
      Image

    • Download the CA certificate for the signed certificate.
    1. Navigate to the Microsoft Windows Certificate Enrollment page: http:///CertSrv.
    2. Click Download a CA certificate.
    3. On the next page, click Download CA certificate and save the certificate to disk.
      Image
      Image

    4. Upload the signed certificate into the SonicWall via the upload button of the CSR pending request.Image Image

    5. To establish trust and complete the validation of the signed certificate, import the CA certificate.ImageImageImage

    • Obtain a certificate for GVC clients.
    1. Navigate to  Microsoft Windows Certificate Enrollment page: http:///CertSrv.
    2. When prompted for authentication, enter username and password of a Domain User.
    3. Click Request a certificate.
    4. Click advanced certificate request.
    5. Select Administrator or User under Certificate Template.

      NOTE: For Site to Site VPN or GVC, a certificate with Key Usage, if present, must have Digital Signature and/or Non-Repudiation and Extended Key Usage (EKU), if present, with Client Authentication seems to work. If, on the other hand, using L2TP/IPSec VPN, make sure, if Key Usage is present, to use Digital Signature and/or Non-Repudiation. The Extended Key Usage (EKU) field SHOULD NOT be used but, if present, may have Encrypted File System (1.3.6.1.4.1.311.10.3.4)  and/or IP Security End System (1.3.6.1.5.5.8.2.1).

    6. Under Attributes, either enter san:dns=yourdomainname.com or san:email=<local-part@domain.com.
    7. Click Submit and you will taken to the next page.
    8. On this page click on Download certificate or Download certificate chain to save the signed certificate to disk.
      Image
      Image
      Image
      Image

    9. The signed certificate will be installed within the browser.
      Image

    10. Export the certificate with its private key from the browser.
      ImageImage
      Image
      Image
      Image

    Related Articles

    • App Control fails by schema error when editing VPN category
    • How to remove 2FA for admin using CLI
    • 2FA authentication error using TOTP "Please try again later"

    Categories

    • Firewalls > NSa Series > VPN
    • Firewalls > NSv Series > VPN
    • Firewalls > TZ Series > VPN

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:cc0750a261fdf1eb77a7d3e0cb0c4ff9-90