SonicWall Certificates FAQ

12/20/2019 173 23096

DESCRIPTION:

1.  What is the maximum number of signed certificates which can be uploaded into the SonicWall?
   You can upload  4 signed certificates into the SonicWall. This is including 3^rd party, self-signed or MS CA signed certificates.
   
   
2.  How many certificate signing requests (CSR) can be created in the SonicWall?
   You can create 4 CSRs.
   
   
3. What is the maximum number of CA certificates which can be imported into the SonicWall?
   
   • The maximum limit for CA certificates in the certificate store of the SonicWall is 256.
   • The store has 52 built-in certificates.
   • Therefore, you can import 204 CA certificates.
   
   
   
4. What is the maximum key size supported?
   SonicWall supports key size from 1024 to 4096 bits.
   
   
5. What are the encryption/signing algorithms supported by the SonicWall?
   Currently SonicWall supports only the RSA algorithm.
   
   
6. When importing a signed certificate or a CA certificate, what are the cryptographic hash functions supported by the SonicWall?
   Beginning with SonicOS 5.9.0, SonicWall supports SHA512, SHA256, SHA1 and MD5. Older firmware supports SHA1 and MD5 only.
   
   
7. What are the certificate files supported in the SonicWall?
   
   • Signed Certificates for Signing Request: PEM (.pem) or DER (.der or .cer) encoded. A file with .crt extension is also supported.
   • For directly importing a signed certificate with private key: PKCS#12 (.p12 or .pfx) encoded file.
   • To import a CA certificate: PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file.
     
     
8. What is the maximum validity of a CA certificate ?
   A CA certificate’s validity must  not exceed 38 years when importing into the SonicWall. Beyond this limit, the SonicWall will display error – Bad Time Value.
   
   
9. What is the maximum validity of a signed certificate?
   A signed certificate’s validity must  not exceed 35 years when importing into the SonicWall. Beyond this limit, the SonicWall will display error – Bad Time Value.
   
   
10. I have uploaded a signed certificate into the SonicWall. Can it be exported?
    Yes. A signed certificate can be exported by clicking on the download icon in pfx extension with private key.
    
    
11. Can the private key be exported separately?
    It is not possible to export the private key separately. However, if the certificate is exported (with pfx extension), the private key can be extracted from it using such tools as OpenSSL.
    
    
12. Can I create a CSR for a wildcard certificate?
    Yes. It is possible to create a CSR by prefixing the certificate common name (CN) with an asterisk. (*.example.com).
    
    
13. When creating a CSR in the SonicWall I am unable to specify more than 1 subject alternative name (SANs).
    Although only 1 Subject Alternative Name can be specified when creating the CSR in the SonicWall, additional subject alternative names can be specified to the certificate providers. You can create the regular CSR within SonicWall and when submitting the CSR to the CA, they can add the additional IPs or domain details within the generated certificate.
    
    
14. I created a CSR in the SonicWall and submitted it to my CA. I was issued a signed certificate which I successfully uploaded into the SonicWall via the blue icon. However, the certificate is not validated.
    
    • You must import your CA’s certificate and, if it is an intermediate CA, import all the certificates in the certificate chain to complete the validation process.
    • The local certificate may not be valid yet – check the valid from date on the certificate.
    • The local certificate may have expired - check the valid to date on the certificate.
    • The SonicWall firewall may have the wrong date and time set internally, causing it to think the certificates are invalid.
      
      
15. I created a CSR in the SonicWall and exported it to submit to my CA. In the certificate request process what should I select as the server platform?
    Apache SSL or Apache.
    
    
16. I have a certificate in my SonicWall SMB SSL-VPN appliance. Can I use the certificate in the SonicWall UTM appliance?
    Yes. Export the certificate and the private key from the SMB SSL-VPN appliance. Using a tool like OpenSSL, combine the two into a PKCS#12 file with pfx or p12 extension. Make sure to set a password for the PKCS#12 file. Import the file into the SonicWall.
    
    
17. My SonicWall UTM appliance was reset to factory defaults. I had exported the configuration settings into a file before the reset. However, when I import the settings after the reset I am unable to see my certificate in the certificates page.
    Certificates are not exported when settings are exported into a file. It is recommended to export the certificates separately as a back-up.
    
    
18. What are the cryptographic algorithms used in the default SonicWall self-signed certificate?
    The self-signed certificate pre-loaded in all latest SonicOS firmwares uses SHA-1 with 2048 bits RSA encryption.
    
    
19. What are the SSL / TLS protocol version supported in the SonicWall management and UTM SSL-VPN?
    SonicWall supports SSL 3.0, TLS 1.0 and beginning with SonicOS 6.2, TLS 1.1 and TLS 1.2.
    
    
20. Does the SonicWall support RSASSA-PSS signature algorithm?
    There is no RSASSA-PSS support at this time.