Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
      All Products A–Z
      Free Trials
    • Network Security
      • Next-Generation Firewall (NGFW)
      • Network Security Services
      • Network Security Management
      • Secure SD-WAN
    • Threat Protection
      • Advanced Threat Protection Cloud
      • Advanced Threat Protection Appliance
      • Capture Labs
    • Secure Access Service Edge (SASE)
      • Zero-Trust Network Access (ZTNA)
    • Cloud Security
      • Cloud Firewall
      • Cloud App Security
    • Endpoint Security
      • Endpoint Detection & Response (EDR)
    • Email Security
      • Cloud Email Security
      • Hosted Email Security
      • On-Prem Email Security
    • Secure Access
      • Wireless Access Points
      • Network Switch
      • Virtual Private Network (VPN)
    • Wi-Fi 6 Access Points

      SonicWall SonicWave 600 series access points provide always-on, always-secure connectivity for complex, multi-device environments.

      Read More
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Network Segmentation
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure Wi-Fi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Events
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Events
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to add DPI-SSL CA Certificate on Ubuntu OS?

10/14/2021 25 People found this article helpful 198,634 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    In this article, we explained how to import SonicWall DPI-SSL Certificate in web browser (Firefox & Chrome) on Ubuntu OS.

    SonicWall certificate is self-signed and this certificate will not be in web browser's Trusted certificate repository by default. Below screenshot show Certificate error that pops up on Browsers when SonicWall DPI SSL certificate is not added to the Browser’s cert database.

    Chrome:

     Image

    Firefox:

    Image

    Overview of SonicWall DPI-SSL:

    Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic.

    Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

    Please click on below KB link that talks about DPI SSL Client Configuration on SonicWall:
    https://www.sonicwall.com/en-us/support/knowledge-base/170505885674291

    A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate. This certificate should be added to the browser to eliminate certificate trust errors.

    Resolution

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

    In order for the browsers to validate and trust the certificate presented by SonicWall while performing DPI SSL inspection, we need to import the SonicWall DPI SSL Cert to their Certificate Database.

    The objective of this article to list the steps that are required to import SonicWall DPI SSL certificate on Firefox & Chrome running on Ubuntu machine. In our demonstration we have used Ubuntu version 16.10.

    Step 1: Download the SonicWall DPI SSL Certificate from the DPI SSL | Client SSL Page.

    Loging to SonicWall Management page and Click Manage tab then follow below steps

    • Navigate to Decryption Services | DPI-SSL Client page and click Certificate tab.
    • Click (download) near "Default SonicWall DPI-SSL 2048 bit CA Certificate" in Certificate.
    • Save it to your local Drive

    Image

    Step 2: Certificate that we downloaded in Step 1 is in ".CER" format. We will have to convert ".CER" to ".CRT" using following openssl command on Ubuntu Terminal Window:
    openssl x509 –inform DER -in dpi-ssl-2048-sha1.cer –out dpi-ssl-2048-sha2-crt

    Image

    Step 3: Now, we will have to create a directory under /usr/share/ca-certificate directory. This directory can be named as anything of your choice, however we have created a directory named “extra”.
    sudo mkdir /usr/share/ca-certificate/extra

    Image
    Step 4:  Copy the ".CRT" certificate file that we created in Step 2 to /usr/share/ca-certificate/extra and /usr/share/ca-certificate/Mozilla directory.
    sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/extra
    sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/mozilla

     Image

    Step 5: Reconfigure CA certificate by running sudo dpkg-reconfigure ca-certificates.

    Image

    Select the newly added cert and follow the instruction on the wizard.

    Image

    Image

    Image

    Step 6: Next update the CA certificate by running following command:
    sudo update-ca-certificates

    Image

    Step 7: Now we need to check the ca-certificate.conf file and ensure that there is no “!” behind our certificate entry.

    Type sudo vi/etc/ca-certificates.conf and check the entry for SonicWall DPI cert.
    Note: Please be careful while editing files using "vi". Improper changes to this file could lead to several issues related to certificate on your machine.

    Image

    Image

    Below is the screenshot of ca-certificate.conf file after ! was removed behind mozilla/dpi-ssl-2048-sha2-crt using “vi” editor.

    Image
    Step 8:  Since Firefox & Chrome on Ubuntu OS use their own CA database, we will have to use certutil to modify the content. To trust a root CA certificate for issuing SSL server certificates on chrome, use
    certutil –d sql:$HOME/.pki/nssdb –A –t “C,,” –n “Description Name” -i <Certificate path|

    In our case, we have had to run following command:
    certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "SonicWall DPI Cert" -i /usr/share/ca-certificates/extra/dpi-ssl.crt

    Image
    Step 9: Verify that the Cert has been added to the Chrome Cert database by running following command:
    certutil –d sql:$HOME/.pki/nssdb -L

    Image
    Step 10:  To add SonicWall Cert to Firefox Cert Database, run following command:
    certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username|/.mozilla/firefox/<default folder|/ -i <certificate path|

    In our case, we had to run following command:
    certutil –A –n “SonicWall DPI SSL Cert” –t “CT,C,C” –d dbm:/home/rupesh/.mozilla/firefox/umrhpxnk.default/ -i /usr/share/ca-certificates/mozilla/dpi-ssl-2048-sha2.crt

    Image
    Step11:  Verify that certificate has been added to Firefox Cert Database:
    certutil –L –d <path to Firefox directory under home|

    In our case, we have to run following command:
    certutil –L –d /home/rupesh/.mozilla/firefox/

    Image


    How to test:

    Once the SonicWall DPI SSL cert has been added to Firefox & Chrome Cert Database, we should not see any certificate error
    while accessing resources using both browsers.

     Chrome Result:

     Image

     FireFox Result:

    Image

     

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

    In order for the browsers to validate and trust the certificate presented by SonicWall while performing DPI SSL inspection, we need to import the SonicWall DPI SSL Cert to their Certificate Database.

    The objective of this article to list the steps that are required to import SonicWall DPI SSL certificate on Firefox & Chrome running on Ubuntu machine. In our demonstration we have used Ubuntu version 16.10.

    Step 1: Download the SonicWall DPI SSL Certificate from the DPI SSL | Client SSL Page.

    Loging to SonicWall Management page and follow below steps

    • Navigate to DPI-SSL | Client SSL page and click Certificate tab.
    • Click (download) near "Default SonicWall DPI-SSL 2048 bit CA Certificate" in Certificate.
    • Save it to your local Drive

    Image

    Step 2: Certificate that we downloaded in Step 1 is in ".CER" format. We will have to convert ".CER" to ".CRT" using following openssl command on Ubuntu Terminal Window:
    openssl x509 –inform DER -in dpi-ssl-2048-sha1.cer –out dpi-ssl-2048-sha2.crt

    Image

    Step 3: Now, we will have to create a directory under /usr/share/ca-certificate directory. This directory can be named as anything of your choice, however we have created a directory named “extra”.
    sudo mkdir /usr/share/ca-certificate/extra

    Image
    Step 4:  Copy the ".CRT" certificate file that we created in Step 2 to /usr/share/ca-certificate/extra and /usr/share/ca-certificate/Mozilla directory.
    sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/extra
    sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/mozilla

     Image

    Step 5: Reconfigure CA certificate by running sudo dpkg-reconfigure ca-certificates.

    Image

    Select the newly added cert and follow the instruction on the wizard.

    Image

    Image

    Image

    Step 6: Next update the CA certificate by running following command:
    sudo update-ca-certificates

    Image

    Step 7: Now we need to check the ca-certificate.conf file and ensure that there is no “!” behind our certificate entry.

    Type sudo vi /etc/ca-certificates-conf and check the entry for SonicWall DPI cert.
    Note: Please be careful while editing files using "vi". Improper changes to this file could lead to several issues related to certificate on your machine.

    Image

    Image

    Below is the screenshot of ca-certificate.conf file after ! was removed behind mozilla/dpi-ssl-2048-sha2.crt using “vi” editor.

    Image
    Step 8:  Since Firefox & Chrome on Ubuntu OS use their own CA database, we will have to use certutil to modify the content. To trust a root CA certificate for issuing SSL server certificates on chrome, use
    certutil –d sql:$HOME/.pki/nssdb –A –t “C,,” –n “Description Name” -i <Certificate path|

    In our case, we have had to run following command:
    certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "SonicWall DPI Cert" -i /usr/share/ca-certificates/extra/dpi-ssl-2048-sha2.crt

    Image
    Step 9: Verify that the Cert has been added to the Chrome Cert database by running following command:
    certutil –d sql:$HOME/.pki/nssdb -L

    Image
    Step 10:  To add SonicWall Cert to Firefox Cert Database, run following command:
    certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username|/.mozilla/firefox/<default folder|/ -i <certificate path|

    In our case, we had to run following command:
    certutil –A –n “SonicWall DPI SSL Cert” –t “CT,C,C” –d dbm:/home/rupesh/.mozilla/firefox/umrhpxnk.default/ -i /usr/share/ca-certificates/mozilla/dpi-ssl-2048-sha2.crt

    Image
    Step11:  Verify that certificate has been added to Firefox Cert Database:
    certutil –L –d <path to Firefox directory under home|

    In our case, we have to run following command:
    certutil –L –d /home/rupesh/.mozilla/firefox/

    Image


    How to test:

    Once the SonicWall DPI SSL cert has been added to Firefox & Chrome Cert Database, we should not see any certificate error
    while accessing resources using both browsers.

     Chrome Result:

     Image

     FireFox Result:

    Image

    Related Articles

    • Bandwidth usage and tracking in SonicWall
    • How to force an update of the Security Services Signatures from the Firewall GUI
    • Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

    Categories

    • Firewalls > SonicWall NSA Series
    • Firewalls > SonicWall SuperMassive 9000 Series
    • Firewalls > TZ Series
    • Firewalls > SonicWall SuperMassive E10000 Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2023 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top