Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

How to create a wildcard certificate to be used on the appliance

03/26/2020 21 People found this article helpful 98,964 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    How to create a wildcard certificate to be used on the appliance

    Resolution

    Overview


    This article will explain how to create and import a wildcard certificate into the AMC to use as the Appliance certificate.  These instructions will work with 8.6.x appliances only.

    NOTE: The instructions below are unsupported and are here only for your reference.  Follow these instructions at your own risk.  The instructions contained within this article require command line access to the Aventail appliance.  If you are not comfortable with accessing the appliance on the command line, stop here.  KB article #2500 has more information on how to get to the command line of the appliance.

    Problem statement

    The issue is that the Aventail appliance cannot have a self-signed certificate that is signed by a wildcard issuer – i.e. *.aventail.com.

    To get around this we can use OpenSSL to create a certification authority on the appliance and then use that to generate a certificate.

    Procedure

    Stage 1 - Create CA on appliance

    1. Create a directory on the appliance to store the CA. For example:
      cd ~
      mkdir aventailca
      cd aventailca
    2. Create 2 files in the directory.  Fill them with the contents listed below.
      1. File number 1 - makefile

        #
        # Automates the setup of a custom Certificate Authority and provides
        # routines for signing and revocation of certificates. To use, first
        # customize the commands in this file and the settings in openssl.cnf,
        # then run:
        #
        # make init
        #
        # Then, copy in certificate signing requests, and ensure their suffix is
        # .csr before signing them with the following command:
        #
        # make sign
        #
        # To revoke a key, name the certificate file with the cert option
        # as shown below:
        #
        # make revoke cert=foo.cert
        #
        # This will revoke the certificate and call gencrl; the revocation list
        # will then need to be copied somehow to the various systems that use
        # your CA cert.
        requests = *.csr

        sign: ${requests}

        # remove -batch option if want chance to not certify a particular request
        ${requests}: FORCE
        @openssl ca -batch -config openssl.cnf -in $@ -out ${@:.csr=.cert}
        @[ -f ${@:.csr=.cert} ] && rm $@

        revoke:
        @test $${cert:?"usage: make revoke cert=certificate"}
        @openssl ca -config openssl.cnf -revoke $(cert)
        @$(MAKE) gencrl

        gencrl:
        @openssl ca -config openssl.cnf -gencrl -out ca-crl.pem

        clean:
        -rm ${requests}

        # creates required supporting files, CA key and certificate
        init:
        @test ! -f serial
        @mkdir crl newcerts private
        @chmod go-rwx private
        @echo '01' > serial
        @touch index
        @openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa -out ca-cert.pem -outform PEM

        help:
        @echo make sign
        @echo ' - signs all *.csr files in this directory'
        @echo
        @echo make revoke cert=filename
        @echo ' - revokes certificate in named file and calls gencrl'
        @echo
        @echo make gencrl
        @echo ' - updates Certificate Revocation List (CRL)'
        @echo
        @echo make clean
        @echo ' - removes all *.csr files in this directory'
        @echo
        @echo make init
        @echo ' - required initial setup command for new CA'

        # for legacy make support
        FORCE:
      2. File number 2 - openssl.cnf

        #
        # OpenSSL configuration file for custom Certificate Authority. Use a
        # different openssl.cnf file to generate certificate signing requests;
        # this one is for use only in Certificate Authority operations (csr ->
        # cert, cert revocation, revocation list generation).
        #
        # Be sure to customize this file prior to use, e.g. the commonName and
        # other options under the root_ca_distinguished_name section.

        HOME = .
        RANDFILE = $ENV::HOME/.rnd

        [ ca ]
        default_ca = CA_default

        [ CA_default ]
        dir = .
        # unsed at present, and my limited certs can be kept in current dir
        #certs = $dir/certs
        new_certs_dir = $dir/newcerts
        crl_dir = $dir/crl
        database = $dir/index

        certificate = $dir/ca-cert.pem
        serial = $dir/serial
        crl = $dir/ca-crl.pem
        private_key = $dir/private/ca-key.pem
        RANDFILE = $dir/private/.rand

        x509_extensions = usr_cert

        # Comment out the following two lines for the "traditional"
        # (and highly broken) format.
        name_opt = ca_default
        cert_opt = ca_default

        default_crl_days= 30
        default_days = 365
        # if need to be compatible with older software, use weaker md5
        default_md = sha1
        # MSIE may need following set to yes?
        preserve = no

        # A few difference way of specifying how similar the request should look
        # For type CA, the listed attributes must be the same, and the optional
        # and supplied fields are just that :-)
        policy = policy_match

        # For the CA policy
        [ policy_match ]
        countryName = optional
        stateOrProvinceName = optional
        organizationName = optional
        organizationalUnitName = optional
        commonName = supplied
        emailAddress = optional

        # For the 'anything' policy
        # At this point in time, you must list all acceptable 'object'
        # types.
        [ policy_anything ]
        countryName = optional
        stateOrProvinceName = optional
        localityName = optional
        organizationName = optional
        organizationalUnitName = optional
        commonName = supplied
        emailAddress = optional

        ####################################################################
        [ req ]
        default_bits = 2048
        default_keyfile = ./private/ca-key.pem
        default_md = sha1

        prompt = no
        distinguished_name = root_ca_distinguished_name

        x509_extensions = v3_ca

        # Passwords for private keys if not present they will be prompted for
        # input_password = secret
        # output_password = secret

        # This sets a mask for permitted string types. There are several options.
        # default: PrintableString, T61String, BMPString.
        # pkix : PrintableString, BMPString.
        # utf8only: only UTF8Strings.
        # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
        # MASK:XXXX a literal mask value.
        # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
        # so use this option with caution!
        string_mask = nombstr

        # req_extensions = v3_req

        [ root_ca_distinguished_name ]
        commonName = Aventail EMEA
        countryName = GB
        stateOrProvinceName = London
        localityName = London
        0.organizationName = aventail.com
        emailAddress = test@aventail.com

        [ usr_cert ]

        # These extensions are added when 'ca' signs a request.

        # This goes against PKIX guidelines but some CAs do it and some software
        # requires this to avoid interpreting an end user certificate as a CA.

        basicConstraints=CA:FALSE

        # PKIX recommendations harmless if included in all certificates.
        subjectKeyIdentifier=hash
        authorityKeyIdentifier=keyid,issuer:always

        nsCaRevocationUrl = https://uk.aventail.com/ca-crl.pem
        #nsBaseUrl
        #nsRevocationUrl
        #nsRenewalUrl
        #nsCaPolicyUrl
        #nsSslServerName

        [ v3_req ]

        # Extensions to add to a certificate request

        basicConstraints = CA:FALSE
        keyUsage = nonRepudiation, digitalSignature, keyEncipherment

        [ v3_ca ]


        # Extensions for a typical CA

        # PKIX recommendation.
        subjectKeyIdentifier=hash
        authorityKeyIdentifier=keyid:always,issuer:always

        # This is what PKIX recommends but some broken software chokes on critical
        # extensions.
        #basicConstraints = critical,CA:true
        # So we do this instead.
        basicConstraints = CA:true

        [ crl_ext ]

        # CRL extensions.
        # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

        # issuerAltName=issuer:copy
        authorityKeyIdentifier=keyid:always,issuer:always
    3. When you have created the above files (you can modify as needed) the run the following command:
      make init

      Generating a 2048 bit RSA private key
      ...............................................................................................+++
      ..................................................+++
      writing new private key to './private/ca-key.pem'
    4. This will create the required directories and files for the CA in the directory you are in

    Stage 2 – Creating the Wildcard certificate

    1. Change directory out of the ca directory to a new one (i.e cd /root)
    2. Create the certificate request:
      openssl req –newkey rsa:1024 –keyout aventail.privkey –out aventail.csr

      Generating a 1024 bit RSA private key
      .........................................................++++++
      ....++++++

      writing new private key to 'aventail.privkey'

      Enter PEM pass phrase:

      Verifying - Enter PEM pass phrase:
    3. You are about to be asked to enter information that will be incorporated into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you enter '.', the field will be left blank.

      Country Name (2 letter code) [AU]:GB
      State or Province Name (full name) [Some-State]:London
      Locality Name (eg, city) []:London
      Organization Name (eg, company) [Internet Widgits Pty Ltd]:Aventail
      Organizational Unit Name (eg, section) []:EMEA
      Common Name (eg, YOUR name) []:*.aventail.com
      Email Address []:

      Please enter the following 'extra' attributes
      to be sent with your certificate request
      A challenge password []:password
      An optional company name []:
    4. This will create 2 files: the private key and the CSR (i.e. aventail.privkey and aventail.csr).
    5. Copy the CSR file to the ca directory you created above (i.e. cp aventail.csr /aventailca/.)
    6. Change directory to the CA directory (i.e. cd ~/aventailca)
    7. Run this command:
      make sign

      Using configuration from openssl.cnf

      Check that the request matches the signature
      Signature ok
      Certificate Details:
      Serial Number: 1 (0x1)
      Validity
      Not Before: Mar 1 16:02:10 2006 GMT
      Not After : Mar 1 16:02:10 2007 GMT
      Subject:
      countryName = GB
      stateOrProvinceName = London
      organizationName = Aventail
      organizationalUnitName = EMEA
      commonName = *.aventail.com
      X509v3 extensions:
      X509v3 Basic Constraints:
      CA:FALSE
      X509v3 Subject Key Identifier:
      9E:CE:E9:A5:51:EA:D7:D7:A8:B0:2E:B1:8B:98:14:F1:DE:38:B1:AA
      X509v3 Authority Key Identifier:
      keyid:E8:90:18:0B:6E:CC:DF:D9:B3:31:65:7F:B7:3D:E8:26:8F:E4:83:2
      DirName:/CN=Aventail EMEA/C=GB/ST=London/L=London/O=aventail.co/emailAddress=test@aventail.com
      serial:00

      Netscape CA Revocation Url:
      https://uk.aventail.com/ca-crl.pem
      Certificate is to be certified until Mar 1 16:02:10 2007 GMT (365 days)

      Write out database with 1 new entries
      Data Base Updated 
    8. This will create the certificate (i.e. aventail.cert)
    9. Copy the .cert file created (i.e. Aventail.cert) to the directory where you created the csr (i.e. cp aventail.cert /root/.)
    10. You also need to copy the ca-cert.pem file to the same directory (i.e. cp ca-cert.pem /root/.)
    11. Change directory to the directory you created the csr file in (i.e. cd /root)
    12. You now need to copy 3 files together the cert, the privatekey and the ca key (pem file):
      cat aventail.ce

    Related Articles

    • CT with Device Guard is stuck on Identifying when GVC Client is installed
    • SMA1000: CT compatibility with 3rd party VPN clients like GVC, Citrix and Fortinet
    • How can I upgrade firmware in SMA 1000 series appliance?

    Categories

    • Secure Mobile Access > SMA 1000 Series

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
    Scroll to top
    Trace:bc25ceab620983726ed9b9f9e3bc8474-80