• Secure Mobile Access 12.4
• About This Guide
• CMS Configuration
  • Introduction to CMS
    • Overview
    • CMS Deployment Options
    • What’s New in This Release
      • Global Policy Settings
      • CMS Alerts Logging
    • Central Management Server
    • Central Management Console
    • Managed Appliances
    • Licensing CMS
    • Central User Licenses
    • Global Traffic Optimizer
    • FIPS and CMS
    • Getting Started in Five Steps
  • Installing and Configuring the Central Management Server
    • Overview
    • Kernel based Virtual Machine
    • Supported Platforms for CMS with Global HA
    • Hardware Resource Requirements
    • Installation Files
    • Setting Up a CMS
  • Configuring Appliances for Central Management
    • Overview
    • Firmware Compatibility with the CMS
    • Enabling Central Management on SMA Appliance
    • Registering an SMA Appliance with the CMS
    • Previously Configured Appliances
  • Using the Management Console Menus
    • Overview
    • Dashboard
      • Alerts
      • Appliances Pane
      • Appliance Load
      • Central License Usage Pane
      • About Pane
    • Management Server
      • Alerts
        • View Alerts
        • Configure Alerts
        • Notification
      • Configure
        • Central Management Settings
        • CMS Address Pool
        • Licensing
        • Administrators
          • General Settings
        • Network Settings
        • SSL Settings
        • Services
          • Manage SSH settings from CMS
      • Monitor
        • Configure the logging setting for Managed appliances
      • Maintain
    • Managed Appliances
      • Add/Remove
      • Configure
        • Overview
        • Configuring the Managed Appliances
          • Define Policy
          • Synchronize
        • Support multiple policies with CMS and shared licensing
          • Applying authentication servers to specific appliance
          • Applying SMTP configuration service to specific appliance
          • Applying SMS service to specific appliance
          • Applying realms to a subset of appliance
          • Assign rules to a subset of appliances
          • Support multiple GTO services
      • Monitor
        • User Sessions
        • Reports
        • Health
      • Maintain
  • Central User Licensing
    • Overview
    • How Central User Licenses Work
      • Central Spike User Licenses
      • Central Email Licenses
      • Perpetual Pooled Licenses
    • Enabling Central User Licensing
    • Getting Started with Central User Licensing
      • Setting Up CMS to Use Central User Licenses
      • Setting up CMS for Centralized Appliance Configuration and Management
      • Resetting a CMS License
  • Global High Availability
    • High Availability of the VPN Service
    • High Availability of the CMS
    • Disaster Recovery for the VPN Service
  • Alerts and SNMP
    • Overview
    • Pre-Configured Alerts
    • Configuring SNMP
  • Capture Advanced Threat Protection
    • Enabling Capture ATP
    • File Options
    • Web Services
    • Advanced Settings
  • Central FIPS Licensing
• Global High Availablity
  • Introduction to Global HA and GTO
  • Planning GTO Deployment
    • Choosing a Deployment Model
    • Minimizing Configuration Differences
    • GTO Service Names and DNS Delegations
    • Provisioning Certificates
      • Let's Encrypt
      • Adding Certificates to SMA Appliances
      • Generating a Certificate Signing Request (CSR)
      • Importing SSL Certificates
  • Setting up GTO
    • Setting up the CMS and SMA appliances
    • Enabling GTO service for managed appliances with the CMS
    • Setting up a Basic GTO Service
    • Monitoring and Configuring GTO
    • Defining the Central Policy
  • Extending GTO Deployment
    • Enabling Cached Credentials
    • Additional Deployment Notes
• SonicWall Support
  • About This Document

Let's Encrypt

Let’s Encrypt is a certificate authority that is public, free, API-driven, and trusted by browsers/clients. Integrating Let's Encrypt certificate with SMA enhances the security and eases the deployment process. Let's Encrypt certificates are valid for 90 days and are renewed automatically after 60 days.

In addition, integrating Let's Encrypt certificate with SMA helps to obtain the appropriate SSL certificates when configuring and deploying CMS with GTO.

Let's Encrypt certificates can be configured for standalone and CMS/GTO deployments where CMS manages the Let’s Encrypt certificate(s) for the cluster.

Prerequisites:

• The appliance must be able to access the Let's Encrypt signing CA over the internet.
• Let's Encrypt signing CA must be able to resolve all the Subject Alternative Name (SAN) names included in the certificate in public DNS.
• All the SAN names must resolve to the public IP address of the standalone appliance.
• The Let's Encrypt signing CA must be able to access port 443 on the public interface (or via NAT, as long as the name resolves).
• The Let's Encrypt must be generated after registering all the SMA appliances and all the GTO services configuration

Creating a Let's Encrypt certificate in CMS

Prerequisites:

• The CMS must be able to access the Let's Encrypt signing CA over the internet.
• All GTO service names must be delegated in public DNS so that queries are resolved by the GTO authoritative servers.
• The Let's Encrypt signing CA MUST be able to access port 443 on all managed appliances public interface(s) ( or via NAT and the appliances must be able to access the CMS on port 443).

To create a Let's Encrypt certificate in CMS

1. Log in to CMS.
2. Navigate to Management Server > Configure.

3. Click SSL Settings.

   The SSL Settings page displays,

4. Under the SSL Certificates group, click Edit.

5. In the General tab, click + New and select Create Let's Encrypt certificateoption.

   

6. In the Fully qualified domain name field, enter the complete domain name. The FQDN entered here appears in the certificate and visible to users.

   Wildcard characters are not supported in the FQDN field.

7. In the Alternatives names field, the SAN list is prepopulated for all the required domain names or enter any other name for FQDN. The alternative name entered here appears in the certificate using the SAN certificate extension.

   Let's Encrypt supports up to 100 SANs per certificate.

8. In the Key type drop-down field, select the key type based on your requirement. The supported key types are RSA and EC.
9. In the Key size drop-down field, select the key size based on your requirement. The supported key sizes are 2048, 3072, and 4096 bits.
10. In the Signature drop-down field, select the secure hash algorithm based on your requirement. The supported signatures are SHA 512, SHA-384, and SHA-256.
11. Select Make this the default certificate check box. Selecting this check box replaces the default certificate for end user connections and moves the certificate to first in the list. If using GTO, this will generate the new Let's Encrypt certificate to all managed appliance and make it as a default certificate in appliances.

12. In order to use the Let's Encrypt free certificate authority service, you must agree to their terms of service. Select I agree to the Let's Encrypt terms of service check box.

    

    The Let's Encrypt certificate is created. You can view and modify the Let's Encrypt certificate.

    

To view the certificate

1. Log in to CMS.

2. Navigate to Management Server > Configure.

3. Click SSL Settings.

   The SSL Settings page displays,

4. Under the SSL Certificates group, click Edit.

5. In the General tab, under Certificate Usageoption.

   Once you completed creating a Let's Encrpyt certificate, browse to the host name and ensure that the certificate is valid and verified

   

   

   Click More information to view the validity period and other details.

   

Renewing the certificate

The Let's Encrypt certificates are valid for 90 days and is renewed automatically after 60 days. You can also renew it manually based on your requirements.

To renew the certificate manually

1. Log in to CMS.
2. In the left panel, select Management Server > Configure > SSL Settings.

3. Click Edit under the SSL Certificates group.

4. In the General tab, select the certificate you want to renew and click .

   A success message is displayed and the certificate is renewed for the next 90 days. You can view the certificate validity displayed under Valid Through field.