• SonicOSX 7
• About Device Settings
• Managing SonicWall Licenses
  • Licenses
  • Managing Security Services
    • Services Summary
    • Managing Security Services Online
      • Managing Services from SonicOS Management Interface
      • Synchronizing Changes
    • Manual Upgrade for Closed Environments
  • Registering Your SonicWall Appliance
  • Activating the Gateway Anti-Virus, Anti-Spyware, and IPS License
  • Activating FREE TRIALs
• System Administration
  • Configuring the Firewall Name
  • Enabling Wireless LAN and IPv6
  • Changing the Administrator Name and Password
  • Configuring Login Security
    • Configuring Password Compliance
    • Configuring Login Constraints
  • Multiple Administrators Support
    • Working of Multiple Administrators Support
      • Configuration Modes
      • User Groups
      • Priority for Preempting Administrators
      • GMS and Multiple Administrator Support
    • Configuring Multiple Administrator Access
  • Enabling Enhanced Audit Logging Support
  • Configuring the Wireless LAN Controller
  • Enabling SonicOSX API and Configuring Authentication Methods
  • Enabling GMS Management
  • Configuring the Management Interface
    • Managing through HTTP/HTTPS
    • Selecting a Security Certificate
    • Controlling the Management Interface Tables
    • Enforcing TLS Version
    • Switching Configuration Modes
    • Deleting Browser Cookies
    • Configuring SSH Management
  • Client Certificate Verification
    • About Common Access Card
    • Configuring Client Certificate Verification
    • Using the Client Certificate Check
    • Checking Certificate Expiration
    • Troubleshooting User Lock Out
  • Selecting a Language
• Configuring Time Settings
  • Setting System Time
  • Configuring NTP Settings
    • Using a Custom NTP Server for Updating the Firewall Clock
    • Adding an NTP Server
    • Editing an NTP Server Entry
    • Deleting NTP Server Entry
• Managing Certificates
  • About Digital Certificates
  • About the Certificates Table
  • About Certificate Details
  • Importing Certificates
    • Importing a Local Certificate
    • Importing a Certificate Authority Certificate
    • Creating a PKCS-12 Formatted Certificate File (Linux Systems Only)
  • Deleting Certificates
  • Generating a Certificate Signing Request
  • Configuring Simple Certificate Enrollment Protocol
• Administering SNMP
  • About SNMP
  • Setting Up SNMP Access
    • Enabling and Configuring SNMP Access
      • Configuring Basic Functionality
      • Configuring SNMPv3 Engine IDs
      • Configuring Object IDs for SNMPv3 Views
    • Setting Up SNMPv3 Groups and Access
      • Creating Groups and Adding Users and Access
        • Creating a Group
        • Adding Access
        • Adding Users
  • Configuring SNMP as a Service and Adding Rules
• Firmware Settings
  • Firmware Management and Backup
    • Firmware Management & Backup Tables
      • Local Table
      • Cloud Table
      • Show Configuration Files Table
    • Searching the Table
  • Creating a Backup Firmware Image
    • Creating a Local Backup Firmware Image
    • Creating a Cloud Backup Firmware Image
    • Scheduling Firmware Image Backups
      • Scheduling a One-Time Backup
      • Scheduling Recurring Backups
      • Deleting Scheduled Backups
  • Updating Firmware
    • Updating Firmware Manually
    • Firmware Auto Update
    • Using SafeMode to Upgrade Firmware
  • Importing and Exporting Settings
    • Importing Settings
    • Exporting Settings
  • Configuring Firmware and Backup Settings
    • Send Settings or Reports by FTP
    • Sending Diagnostic Reports to Technical Support
    • Boot Settings
    • One-Touch Configuration Overrides
    • Enabling FIPS Mode
    • Enabling NDPP mode
• Restarting the System
• SonicWall Support
  • About This Document

Configuring Client Certificate Verification

To configure Client Certificate Check

1. Navigate to Device | Settings > Administration.

2. Click Certificate Check.

   

3. To enable client certificate checking and CAC support on the SonicWall Security Appliance, select Enable Client Certificate Check. If you enable this option, the other options become available. A warning confirmation message displays:

   

4. Click OK.

5. To activate the client certification cache, select Enable Client Certificate Cache.

   The cache expires 24 hours after being enabled.

6. To specify from which certificate field the user name is obtained, choose an option from User Name Field:
   • Subject: Common Name (default)
   • Sub Alt: Email
   • Sub Alt: Microsoft Universal Principal Name

7. To select a Certification Authority (CA) certificate issuer, choose one from the Client Certificate Issuer drop-down menu. The default is thawte Primary Root CA - G3.

   If the appropriate CA is not listed, you need to import that CA into the SonicWall Security Appliance. See Managing Certificates section.

8. To select how to obtain the CAC user group membership and, thus, determine the correct user privilege, choose from the CAC user group memberships retrieve method drop-down menu:
   • Local Configured (default) – If selected, you should create local user groups with proper memberships.
   • From LDAP – If selected, you need to configure the LDAP server. (see Configuring the SonicWall for LDAP section in SonicOS 7.0 Users document available at https://www.sonicwall.com/support/technical-documentation/.

9. To enable the Online Certificate Status Protocol (OCSP) check to verify the client certificate is still valid and has not been revoked, select Enable OCSP Checking. When this option is enabled, the OCSP Responder URL field displays and the Enable periodic OCSP Check option displays.

   

   Enter the URL of the OSCP server that verifies the status of the client certificate in the OCSP Responder URL field.

   The OCSP Responder URL is usually embedded inside the client certificate and does not need to be entered. If the client certificate does not have an OCSP link, you can enter the URL link. The link should point to the Common Gateway Interface (CGI) on the server side, which processes the OCSP checking. For example: http://10.103.63.251/ocsp.

10. To enable a periodic OCSP check for the client certificate for verifying that the certificate is still valid and has not been revoked:
    1. Select Enable periodic OCSP Check. The OCSP check interval field becomes available.
    2. Enter the interval between OCSP checks, in hours, in the OCSP check interval 1~72 (in hours) field. The minimum interval is 1 hour, the maximum is 72 hours, and the default is 24 hours.
11. Click Accept.