How to use www.pkitools.net for Resigning the DPI SSL Client Certificate.

Description

Several third‑party CA platforms can act as subordinate (intermediate) CAs to sign certificates—for instance, pkitools.net. 

Resolution

Generating a Certificate Enrollment Request (CER)   

  1. Navigate to Device | Settings | Certificates and click New signing Request.

 NOTE: A minimum of SHA256 and 2048 bits is required and sonicwall recommends use of strong hash  for the certificate

  1. Complete the Generate Certificate Signing Request form and select Generate.


 

 

Export the pending Certificate Enrollment Request (CER)

  1. Navigate to Device | Settings | Certificates and select your certificate pending request Configure button.
  2. Click Export in your Export Certificate Request Popup.



Open the export file with notepad for temporary storage

 

Using pkitools.net to get the CSR signed as Subordinate CA:

  1. Browse to www.pkitools.net
  2. Navigate to PKI Services | CA Services
  3. Under the CA Initialization tab Select the use site’s private key

Note: The private key we are using is from pkitools.net and it will be maintained by the website.

  1. In the same tab, Under the Certificate signing:

      1. Select CSR/PKCS#10 for Get Public From
      2. Select the CSR exported from the firewall for PKCS#10 request
      3. Select Inherit CSR for Certificate Attribute
      4. Enable all the auto-generated options as seen in the screenshot below

 

  1. Click on Generate Certificate and save the certificate as with .cer extension

 A screenshot of a computerAI-generated content may be incorrect.

 

We need to extract the root certificate from the exported file.

  1. Open the certificate and go to the Certification path.
  2. Select the root certificate and click on View Certificate

 

  1. Now on the root certificate, go to details and click on copy to file

 

  1. It will open Certificate export wizard, Click next

 

  1. Now we need to select Base-64 encoded X.509 (.cer) and click Next

  1. Type a name and select the location to save the file

A screenshot of a computerAI-generated content may be incorrect. 

  1. Click on finish.

 

 

Now we go to the firewall and import the root and CA Certificate, also use the CA certificate to validate the CSR

 

  1. On the browser log in the firewall
  2. Navigate to Device | Settings | Certificates
  3. Import the CA Certificate and Root Certificate one by one.

  1. Now we need to import the CA certificate on the CSR

 

  1. Now, Firewall prompts you for a reboot, and after the reboot, we should see the CSR as Validated, and the certificate will be visible on the DPI SSL Client certificates.

                                                                                                                                                                                                                                                

 

 

  1. Further, we can use the CA Certificate to be installed as a trusted root certificate on the computers.

Related Articles

  • SSLVPN authentication with SAML and Google Workspace
    Read More
  • Certificate error when accessing certain websites when Client DPI-SSL is Enabled
    Read More
  • Custom DPI-SSL certificate generation and re-signing for expired DPI-SSL certificates on SonicOS 7.0.1
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSv Series
Firewalls
SonicWall NSA Series
Firewalls
TZ Series
not finding your answers?
Ask the Community