Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
In order for the browsers to validate and trust the certificate presented by SonicWall while performing DPI SSL inspection, we need to import the SonicWall DPI SSL Cert to their Certificate Database.
The objective of this article to list the steps that are required to import SonicWall DPI SSL certificate on Firefox & Chrome running on Ubuntu machine. In our demonstration we have used Ubuntu version 16.10.
Step 1: Download the SonicWall DPI SSL Certificate from the DPI SSL | Client SSL Page.
Loging to SonicWall Management page and Click Manage tab then follow below steps
- Navigate to Decryption Services | DPI-SSL Client page and click Certificate tab.
- Click (download) near "Default SonicWall DPI-SSL 2048 bit CA Certificate" in Certificate.
- Save it to your local Drive
Step 2: Certificate that we downloaded in Step 1 is in ".CER" format. We will have to convert ".CER" to ".CRT" using following openssl command on Ubuntu Terminal Window:
openssl x509 –inform DER -in dpi-ssl-2048-sha1.cer –out dpi-ssl-2048-sha2-crt
Step 3: Now, we will have to create a directory under /usr/share/ca-certificate directory. This directory can be named as anything of your choice, however we have created a directory named “extra”.
sudo mkdir /usr/share/ca-certificate/extra
Step 4: Copy the ".CRT" certificate file that we created in Step 2 to /usr/share/ca-certificate/extra and /usr/share/ca-certificate/Mozilla directory.
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/extra
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/mozilla
Step 5: Reconfigure CA certificate by running sudo dpkg-reconfigure ca-certificates.
Select the newly added cert and follow the instruction on the wizard.
Step 6: Next update the CA certificate by running following command:
sudo update-ca-certificates
Step 7: Now we need to check the ca-certificate.conf file and ensure that there is no “!” behind our certificate entry.
Type sudo vi/etc/ca-certificates.conf and check the entry for SonicWall DPI cert.
Note: Please be careful while editing files using "vi". Improper changes to this file could lead to several issues related to certificate on your machine.
Below is the screenshot of ca-certificate.conf file after ! was removed behind mozilla/dpi-ssl-2048-sha2-crt using “vi” editor.
Step 8: Since Firefox & Chrome on Ubuntu OS use their own CA database, we will have to use certutil to modify the content. To trust a root CA certificate for issuing SSL server certificates on chrome, use
certutil –d sql:$HOME/.pki/nssdb –A –t “C,,” –n “Description Name” -i <Certificate path|
In our case, we have had to run following command:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "SonicWall DPI Cert" -i /usr/share/ca-certificates/extra/dpi-ssl.crt
Step 9: Verify that the Cert has been added to the Chrome Cert database by running following command:
certutil –d sql:$HOME/.pki/nssdb -L
Step 10: To add SonicWall Cert to Firefox Cert Database, run following command:
certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username|/.mozilla/firefox/<default folder|/ -i <certificate path|
In our case, we had to run following command:
certutil –A –n “SonicWall DPI SSL Cert” –t “CT,C,C” –d dbm:/home/rupesh/.mozilla/firefox/umrhpxnk.default/ -i /usr/share/ca-certificates/mozilla/dpi-ssl-2048-sha2.crt
Step11: Verify that certificate has been added to Firefox Cert Database:
certutil –L –d <path to Firefox directory under home|
In our case, we have to run following command:
certutil –L –d /home/rupesh/.mozilla/firefox/
How to test:
Once the SonicWall DPI SSL cert has been added to Firefox & Chrome Cert Database, we should not see any certificate error
while accessing resources using both browsers.
Chrome Result:
FireFox Result:
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
In order for the browsers to validate and trust the certificate presented by SonicWall while performing DPI SSL inspection, we need to import the SonicWall DPI SSL Cert to their Certificate Database.
The objective of this article to list the steps that are required to import SonicWall DPI SSL certificate on Firefox & Chrome running on Ubuntu machine. In our demonstration we have used Ubuntu version 16.10.
Step 1: Download the SonicWall DPI SSL Certificate from the DPI SSL | Client SSL Page.
Loging to SonicWall Management page and follow below steps
- Navigate to DPI-SSL | Client SSL page and click Certificate tab.
- Click (download) near "Default SonicWall DPI-SSL 2048 bit CA Certificate" in Certificate.
- Save it to your local Drive
Step 2: Certificate that we downloaded in Step 1 is in ".CER" format. We will have to convert ".CER" to ".CRT" using following openssl command on Ubuntu Terminal Window:
openssl x509 –inform DER -in dpi-ssl-2048-sha1.cer –out dpi-ssl-2048-sha2.crt
Step 3: Now, we will have to create a directory under /usr/share/ca-certificate directory. This directory can be named as anything of your choice, however we have created a directory named “extra”.
sudo mkdir /usr/share/ca-certificate/extra
Step 4: Copy the ".CRT" certificate file that we created in Step 2 to /usr/share/ca-certificate/extra and /usr/share/ca-certificate/Mozilla directory.
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/extra
sudo cp dpi-ssl-2048-sha2.crt /usr/share/ca-certificates/mozilla
Step 5: Reconfigure CA certificate by running sudo dpkg-reconfigure ca-certificates.
Select the newly added cert and follow the instruction on the wizard.
Step 6: Next update the CA certificate by running following command:
sudo update-ca-certificates
Step 7: Now we need to check the ca-certificate.conf file and ensure that there is no “!” behind our certificate entry.
Type sudo vi /etc/ca-certificates-conf and check the entry for SonicWall DPI cert.
Note: Please be careful while editing files using "vi". Improper changes to this file could lead to several issues related to certificate on your machine.
Below is the screenshot of ca-certificate.conf file after ! was removed behind mozilla/dpi-ssl-2048-sha2.crt using “vi” editor.
Step 8: Since Firefox & Chrome on Ubuntu OS use their own CA database, we will have to use certutil to modify the content. To trust a root CA certificate for issuing SSL server certificates on chrome, use
certutil –d sql:$HOME/.pki/nssdb –A –t “C,,” –n “Description Name” -i <Certificate path|
In our case, we have had to run following command:
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n "SonicWall DPI Cert" -i /usr/share/ca-certificates/extra/dpi-ssl-2048-sha2.crt
Step 9: Verify that the Cert has been added to the Chrome Cert database by running following command:
certutil –d sql:$HOME/.pki/nssdb -L
Step 10: To add SonicWall Cert to Firefox Cert Database, run following command:
certutil -A -n "Description Name" -t "CT,C,C" -d dbm:/home/<username|/.mozilla/firefox/<default folder|/ -i <certificate path|
In our case, we had to run following command:
certutil –A –n “SonicWall DPI SSL Cert” –t “CT,C,C” –d dbm:/home/rupesh/.mozilla/firefox/umrhpxnk.default/ -i /usr/share/ca-certificates/mozilla/dpi-ssl-2048-sha2.crt
Step11: Verify that certificate has been added to Firefox Cert Database:
certutil –L –d <path to Firefox directory under home|
In our case, we have to run following command:
certutil –L –d /home/rupesh/.mozilla/firefox/
How to test:
Once the SonicWall DPI SSL cert has been added to Firefox & Chrome Cert Database, we should not see any certificate error
while accessing resources using both browsers.
Chrome Result:
FireFox Result: