Using GVC with Unique User Certificate
03/26/2020 1165 13586
With the WAN Group policy (GVC) configured in the SonicWall appliance, some users want to use unique certificate for each user, however that is not possible if the policy is configured with the “Peer Id Type” as a “Distinguished Name”. The reason is the “Distinguished Name” may not be same for all the users as it contains different fields may not be same for all the users. And this configuration will not allow the certificate configured with any other “Distinguished Name”.
This limitation can be overcome by choosing an “Email ID” or “Domain name” in place of “Distinguished Name”. When the either of these is chosen then the exact or partial match of these should be present in the “Subject Alternative Name” field of the user certificate. If
1. If you select “Email ID” as Peer Id and Peer ID filter as *@example.com then the
“Subject Alternative Name” filed in the certificate could be firstname.lastname@example.org or email@example.com or any email id from example.com could be used.
2. If you select “Domain name” as Peer Id and Peer ID filter as *.example.com then the
“Subject Alternative Name” filed in the certificate could be web.example.com or vpn.example.com or any sub domain from example.com could be used.
The SonicWall appliance provides an opportunity to fill in “Subject Alternative Name” in the CSR (Certificate Signing Request) then can be used to create certificates for the appliance itself. We can only import the Local/3rd party certificates in the GVC software, but can not create a CSR and thus can not provide the “Subject Alternative Name” in it.
By default some software vendors do not provide the opportunity to fill in the “Subject Alternative Name” in the CSR. Below are some steps that helps filling in the same in the CSR.
Note: The below methods are provided for local OpenSSL and Microsoft CA and if you are using the 3rd party certificates then you need to contact you CA as to how to get a “Subject Alternative Name” in the user certificates.
Using local Microsoft Windows 2003 Server CA for the user certificate for GVC software:
Make sure that the Root CA certificate is already present in the GVC software before importing the user certificate as it can validate the user certificate from that CA
Note: If (by default) the Microsoft Windows 2003 Server CA is not configured to provide the “Subject Alternative Name” in the certificate then please follow the procedure in the section “Preparing the CA server to provide “Subject Alternative Name” in the certificate”
Access the CA web page of you local CA and click on “Request a certificate link”
Click on “Create and submit request to this CA”
Click on “advanced certificate request” on the next screen
Fill in the user details on the next screen
Make sure that the “Mark keys as exportable” option is selected and put in the SAN:email=”firstname.lastname@example.org” for email as SubjectAltName or SAN: dns=”domain name” for domain name of the user in Attributes filed.
Confirm the certificate request by clicking on ‘Yes’.
Click on ‘Install the certificate link’ so it’ll install the certificate in the user certificate store.
It’ll show the certificate installation confirmation.
Now, we need to export the certificate from the browser to a file so you can import in the GVC software.
On the browser, click on Tool menu > Content Tab > Certificates button > select the certificate that you have requested form the CA server and click on Export button.
A wizard will pop up and then just follow the on screen instructions. Click on ‘Next’
Select ‘Yes, export the private key’ so you can save the certificate in p12 (.pfx) format
Select the ‘Include all…’ and ‘Enable strong…’ options and click Next.
Provide the password to protect the certificate. (And remember the password, this is needed to import the certificate in the GVC software)
Provide the location to save the certificate.
It will show the confirmation that the certificate export was successful.
Now we need to import this certificate in the GVC software. If the WAN group VPN policy on the sonicwall device is already configured to use a certificate then the GVC software will prompt to import a certificate. Or alternative you can manually access the Certificate Manager of the GVC software and import the certificate.
Now the GVC software is ready to establish a connection with sonicwall with a user certificate.
Installing the CA certificate
Access the CA server in the browser and click on ‘Download a CA certificate…’
And then click on ‘Download CA certificate’ and it will prompt you to save the file. Just save on the computer so you can import on the GVC. Of if you click on the ‘Install this CA certificate chain’, it will install the CA certificate on the local computer.
Preparing the CA server to provide “Subject Alternative Name” in the certificate
Caution: The below steps involve the change in registry of the server so make sure that you have the backup of registry before doing this. And you may do this at your own risk; SonicWall is not responsible for any damage, outage, data loss or any kind of loss. Or you may contact Microsoft to assist you for the same.
All you need to do is login as administrator on the CA server, open a command prompt window and type:
certutil –setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
The response will be something like below in the screen shot.
Then stop and start the CA service.
Now the CA server is ready to provide the “Subject Alternative Name” in the certificate
Generating CSR thru OpenSSL you need to create an ‘extension’ file with the following attributes and use it with the command to create a CSR (details are not provided here):
subjectAltName = email:[ ] or subjectAltName = DNS:[ ]
basicConstraints = critical,CA:FALSE
nsCertType = client,email
nsComment = "GVC user certificate"
For more details on OpenSSL with SonicWall, please search for “Using OpenSSL to Create a Private Certificate Authority” tech note on sonicwall web site. Verifying the Subjective Alternative Name in the Certificate
On the certificate details you should be able to see the Subjective Alternative Name as shown in the screen shots below: