How to add DPI-SSL CA Certificate on Ubuntu OS?
03/26/2020
19
11960
DESCRIPTION:
In this article, we explained how to import SonicWall DPI-SSL Certificate in web browser (Firefox & Chrome) on Ubuntu OS.
SonicWall certificate is self-signed and this certificate will not be in web browser's Trusted certificate repository by default. Below screenshot show Certificate error that pops up on Browsers when SonicWall DPI SSL certificate is not added to the Browser’s cert database.
Chrome:

Firefox:

Overview of SonicWall DPI-SSL:
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic.
Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.
Please click on below KB link that talks about DPI SSL Client Configuration on SonicWall:
https://www.sonicwall.com/en-us/support/knowledge-base/170505885674291
A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate. This certificate should be added to the browser to eliminate certificate trust errors.
RESOLUTION:
In order for the browsers to validate and trust the certificate presented by SonicWall while performing DPI SSL inspection, we need to import the SonicWall DPI SSL Cert to their Certificate Database.
The objective of this article to list the steps that are required to import SonicWall DPI SSL certificate on Firefox & Chrome running on Ubuntu machine. In our demonstration we have used Ubuntu version 16.10.
Step 1: Download the SonicWall DPI SSL Certificate from the DPI SSL | Client SSL Page.
Loging to SonicWall Management page and follow below steps
- Navigate to DPI-SSL | Client SSL page and click Certificate tab.
- Click (download) near "Default SonicWall DPI-SSL 2048 bit CA Certificate" in Certificate.
- Save it to your local Drive

Step 2: Certificate that we downloaded in Step 1 is in ".CER" format. We will have to convert ".CER" to ".CRT" using following openssl command on Ubuntu Terminal Window:
openssl x509 –inform DER -in dpi-ssl-2048-sha1.cer –out dpi-ssl-2048-sha2.crt

Step 3: Now, we will have to create a directory under /usr/share/ca-certificate directory. This directory can be named as anything of your choice, however we have created a directory named “extra”.
sudo mkdir /usr/share/ca-certificate/extra

Step 4: Copy the ".CRT" certificate file that we created in Step 2 to /usr/share/ca-certificate/extra and /usr/share/ca-certificate/Mozilla directory.
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/extra
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/mozilla

Step 5: Reconfigure CA certificate by running sudo dpkg-reconfigure ca-certificates.

Select the newly added cert and follow the instruction on the wizard.



Step 6: Next update the CA certificate by running following command:
sudo update-ca-certificates

Step 7: Now we need to check the ca-certificate.conf file and ensure that there is no “!” behind our certificate entry.
Type sudo vi /etc/ca-certificates-conf and check the entry for SonicWall DPI cert.
Note: Please be careful while editing files using "vi". Improper changes to this file could lead to several issues related to certificate on your machine.


Below is the screenshot of ca-certificate.conf file after ! was removed behind mozilla/dpi-ssl-2048-sha2.crt using “vi” editor.

Step 8: Since Firefox & Chrome on Ubuntu OS use their own CA database, we will have to use certutil to modify the content. To trust a root CA certificate for issuing SSL server certificates on chrome, use
certutil –d sql:$HOME/.pki/nssdb –A –t “C,,” –n “Description Name” -i <Certificate path|
In our case, we have had to run following command:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "SonicWall DPI Cert" -i /usr/share/ca-certificates/extra/dpi-ssl-2048-sha2.crt

Step 9: Verify that the Cert has been added to the Chrome Cert database by running following command:
certutil –d sql:$HOME/.pki/nssdb -L

Step 10: To add SonicWall Cert to Firefox Cert Database, run following command:
certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username|/.mozilla/firefox/<default folder|/ -i <certificate path|
In our case, we had to run following command:
certutil –A –n “SonicWall DPI SSL Cert” –t “CT,C,C” –d dbm:/home/rupesh/.mozilla/firefox/umrhpxnk.default/ -i /usr/share/ca-certificates/mozilla/dpi-ssl-2048-sha2.crt

Step11: Verify that certificate has been added to Firefox Cert Database:
certutil –L –d <path to Firefox directory under home|
In our case, we have to run following command:
certutil –L –d /home/rupesh/.mozilla/firefox/

How to test:
Once the SonicWall DPI SSL cert has been added to Firefox & Chrome Cert Database, we should not see any certificate error
while accessing resources using both browsers.
Chrome Result:

FireFox Result:

Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
In order for the browsers to validate and trust the certificate presented by SonicWall while performing DPI SSL inspection, we need to import the SonicWall DPI SSL Cert to their Certificate Database.
The objective of this article to list the steps that are required to import SonicWall DPI SSL certificate on Firefox & Chrome running on Ubuntu machine. In our demonstration we have used Ubuntu version 16.10.
Step 1: Download the SonicWall DPI SSL Certificate from the DPI SSL | Client SSL Page.
Loging to SonicWall Management page and Click Manage tab then follow below steps
- Navigate to Decryption Services | DPI-SSL Client page and click Certificate tab.
- Click (download) near "Default SonicWall DPI-SSL 2048 bit CA Certificate" in Certificate.
- Save it to your local Drive

Step 2: Certificate that we downloaded in Step 1 is in ".CER" format. We will have to convert ".CER" to ".CRT" using following openssl command on Ubuntu Terminal Window:
openssl x509 –inform DER -in dpi-ssl-2048-sha1.cer –out dpi-ssl-2048-sha2-crt

Step 3: Now, we will have to create a directory under /usr/share/ca-certificate directory. This directory can be named as anything of your choice, however we have created a directory named “extra”.
sudo mkdir /usr/share/ca-certificate/extra

Step 4: Copy the ".CRT" certificate file that we created in Step 2 to /usr/share/ca-certificate/extra and /usr/share/ca-certificate/Mozilla directory.
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/extra
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/mozilla

Step 5: Reconfigure CA certificate by running sudo dpkg-reconfigure ca-certificates.

Select the newly added cert and follow the instruction on the wizard.



Step 6: Next update the CA certificate by running following command:
sudo update-ca-certificates

Step 7: Now we need to check the ca-certificate.conf file and ensure that there is no “!” behind our certificate entry.
Type sudo vi/etc/ca-certificates.conf and check the entry for SonicWall DPI cert.
Note: Please be careful while editing files using "vi". Improper changes to this file could lead to several issues related to certificate on your machine.


Below is the screenshot of ca-certificate.conf file after ! was removed behind mozilla/dpi-ssl-2048-sha2-crt using “vi” editor.

Step 8: Since Firefox & Chrome on Ubuntu OS use their own CA database, we will have to use certutil to modify the content. To trust a root CA certificate for issuing SSL server certificates on chrome, use
certutil –d sql:$HOME/.pki/nssdb –A –t “C,,” –n “Description Name” -i <Certificate path|
In our case, we have had to run following command:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "SonicWall DPI Cert" -i /usr/share/ca-certificates/extra/dpi-ssl.crt

Step 9: Verify that the Cert has been added to the Chrome Cert database by running following command:
certutil –d sql:$HOME/.pki/nssdb -L

Step 10: To add SonicWall Cert to Firefox Cert Database, run following command:
certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username|/.mozilla/firefox/<default folder|/ -i <certificate path|
In our case, we had to run following command:
certutil –A –n “SonicWall DPI SSL Cert” –t “CT,C,C” –d dbm:/home/rupesh/.mozilla/firefox/umrhpxnk.default/ -i /usr/share/ca-certificates/mozilla/dpi-ssl-2048-sha2.crt

Step11: Verify that certificate has been added to Firefox Cert Database:
certutil –L –d <path to Firefox directory under home|
In our case, we have to run following command:
certutil –L –d /home/rupesh/.mozilla/firefox/

How to test:
Once the SonicWall DPI SSL cert has been added to Firefox & Chrome Cert Database, we should not see any certificate error
while accessing resources using both browsers.
Chrome Result:

FireFox Result:
