CSR generation and re-signing for expired DPI-SSL certificates for Gen7 firewalls on SonicOS 7.0.1, Gen6 and Gen6.5 running on firmware SonicOS 6.5.X.X

Description

For Gen7:

The default DPI SSL Client SonicWall certificate available for Firmware version 7.0.1-XXXX will expire on the 15thJanaury 2026. Customers are suggested to upgrade the firmware to 7.3.1-XXXX or implement the suggested workaround in this article.

 

For Gen6 and Gen6.5 running on firmware version 6.5.X.X:

The default DPI SSL Client SonicWall certificate available for Firmware version 6.5.X.X will expire on the 15th January 2026. Customers are advised implement the suggested workaround outlined in this article.

Resolution

Workaround for SonicOS 7.0.1-XXXX

 

The suggested workaround below is for customers using SonicOS 7.0.1-XXXX firmware and are not willing/unable to upgrade to the firmware version 7.3.1-XXX and above.

Customers must switch to a custom DPI SSL Certificate due to the expiry date (15th-Jan-2026 ) of the default DPI SSL Certificate.

 

Options for customers who choose to replace the expired Default SonicWall DPI-SSL CA certificate:

  • Customers cannot request a DPI-SSL CA certificate from a commercial certificate authority.
    • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
    • Customers can create certificates from a private Certificate Authority Server.
  • Customers choose to implement their own Certificate Authority servers, such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
    • Customers may choose to replace the SonicWall self-signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
       Note: 
      Customer will have to use strong hash for the certificate.
      Customers must also look after maintainance and Protection of the Server CA
    • Customers may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

 

Generating a Certificate Enrollment Request (CER) 

 

  1. Navigate to Device | Settings | Certificates and click New signing Request.

 NOTE: A minimum of SHA256 and 2048 bits is required and SonicWall recommends use of strong hash  for the certificate.

  1. Complete the Generate Certificate Signing Request form and select Generate.

Export the pending Certificate Enrollment Request (CER)

 

  1. Navigate to Device | Settings | Certificates and select your certificate pending request Configure button.
  2. Click Export in your Export Certificate Request Popup.
  3. Open the export file with notepad for temporary storage

Go to Microsoft CA Server and request a certificate

 

  1. Request a certificate.
  2. Submit and advanced certificate request.


  3. Click advanced certificate request.



Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

 

  1. Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
  2. In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
  3. A Subordinate CA template has certificate re-signing capability.
  4. Do Not use the Web Server template (This template cannot do re-signing).
  5. Click Submit.

 

 


Download from the Microsoft CA Server and save to a local file

 

  1. Select the option Download certificate chain.
  2. Save the certificate (the file’s default name is certnew.p7b, rename if needed as seen in the image).


  3. Download certificate

A green and white rectangleAI-generated content may be incorrect.

  1. Install this certificate in the Trusted root certificate of the computers ( local network ) by following the steps below:

For Chrome/Edge/IE: 

  1. Double clicks on the downloaded certificate
  2. Select Install Certificate
  3. Choose whether to install for the current user or the local machine
  4. Select "Place all certificates in the following store"
  5. Browse and select Trusted Root Certification Authoritiestab
  6. ClickFinish. The Certificate Import Wizard will guide you through importing the certificate.

          

   

Firefox:

  1. Enter in the URL: about:preferences#privacy
  2. Scroll Down under Certificatesand click View Certificates
  3. Click Import
  4. Select the downloaded certificate
  5. Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
  6. Click OK

             Image

 

Mac:

Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

 

Further, you can follow the KB below to know about other methods of distributing the sonicwall DPI SSL Certificate:

https://www.sonicwall.com/support/knowledge-base/various-methods-to-distribute-sonicwall-dpi-ssl-certificate/kA1VN0000000OX50AM\

 

Complete the certificate enrollment on SonicWall by uploading the newly issued certificate chain

 

  1. Navigate to Device | Settings | Certificates and select Import.
  2. Browse to CA certificate chain file.
  3. Select file
  4. Upload file.

    A screenshot of a computer
  5. Firewall will promt for a restart.


 

  1. After rebooting we should be seeing the CSR as Validated, with the intermediate certificate and CA certificate:

 



View the imported certificate under DPI-SSL | Client SSL

 

  • The newly installed CA certificate is available for DPI-SSL services.

  • Once the DPI SSL client has been enabled and we have selected the imported certificate as DPI SSL client certificate. It should be visible when we try to access any website

Workaround for Firmware Version 6.5.X.X:

 

For Customer running on the firmware version 6.5.X.X with the Customers must switch to a custom DPI SSL Certificate due to the expiry date (15th-Jan-2026 ) of the default DPI SSL Certificate.

 

Options for customers who choose to replace the expired Default SonicWall DPI-SSL CA certificate:

  • Customers cannot request a DPI-SSL CA certificate from a commercial certificate authority.
    • Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
    • Customers can create certificates from a private Certificate Authority Server.
  • Customers choose to implement their own Certificate Authority servers, such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
    • Customers may choose to replace the SonicWall self-signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
       Note: 
      Customer will have to use strong hash for the certificate.
      Customers must also look after maintainance and Protection of the Server CA
    • Customers may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority

Generating a Certificate Enrollment Request (CER)   

  1. Navigate to Manage | Appliance | Certificates and click  New signing Request.
    Image

  2. Complete the  Generate Certificate Signing Request form and select Generate.

     NOTE: A minimum of SHA256 and 2048 bits is required.
    Image

     

 

Export the pending Certificate Enrollment Request (CER)

  1. Navigate to System | Certificates and select your certificate pending request Configure button.
  2. Click  Export in your Export Certificate Request Popup.
    Image



Open the export file with Notepad for temporary storage

Image


Go to the Microsoft CA Server and request a certificate

  1. Request a certificate.
  2. Submit an advanced certificate request.
    Image

  3. Click  advanced certificate request.
    Image



Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

  1. Paste Certificate Enrollment Request text (from your WordPad file) into the  Saved Request  box.
  2. In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
  3. A Subordinate CA template has certificate re-signing capability.
  4. Do Not use the Web Server template (This template cannot do re-signing).
  5. Click Submit.
    Image

Go to Microsoft CA Server and request a certificate

 

  1. Request a certificate.
  2. Submit and advanced certificate request.


  3. Click advanced certificate request.



Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

 

  1. Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
  2. In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
  3. A Subordinate CA template has certificate re-signing capability.
  4. Do Not use the Web Server template (This template cannot do re-signing).
  5. Click Submit.

 

 


Download from the Microsoft CA Server and save to a local file

 

  1. Select the option Download certificate chain.
  2. Save the certificate (the file’s default name is certnew.p7b, rename if needed as seen in the image).


  3. Download certificate

A green and white rectangleAI-generated content may be incorrect.

  1. Install this certificate in the Trusted root certificate of the computers ( local network ) by following the steps below:

For Chrome/Edge/IE: 

  1. Double clicks on the downloaded certificate
  2. Select Install Certificate
  3. Choose whether to install for the current user or the local machine
  4. Select "Place all certificates in the following store"
  5. Browse and select Trusted Root Certification Authoritiestab
  6. ClickFinish. The Certificate Import Wizard will guide you through importing the certificate.

          

   

Firefox:

  1. Enter in the URL: about:preferences#privacy
  2. Scroll Down under Certificatesand click View Certificates
  3. Click Import
  4. Select the downloaded certificate
  5. Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
  6. Click OK

             Image

 

Mac:

Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

 

Further, you can follow the KB below to know about other methods of distributing the sonicwall DPI SSL Certificate:

https://www.sonicwall.com/support/knowledge-base/various-methods-to-distribute-sonicwall-dpi-ssl-certificate/kA1VN0000000OX50AM\

 


Download from the Microsoft CA Server and save to a local file

  1. Select the option Download certificate chain.
  2. Save the certificate (the file default name is certnew.p7b, rename if needed).
    Image

     

Complete the certificate enrollment on SonicWall by uploading the newly issued certificate

  1. Navigate to System | Certificates and select your certificate pending request Configure button.
  2. Browse to new certificate file.
  3. Select file.
  4. Upload file.
    Image




Import the DPI-SSL CA root certificate to SonicWall

  1. Download and save the CA root certificate.
    Image

  2. Navigate to System | Certificates and select Import.
  3. Browse to CA certificate file.
  4. Select file.
  5. Upload file.
    Image





View the imported certificate under DPI-SSL | Client SSL

 

  • The newly installed CA certificate is available for DPI-SSL services.

    Image

 

 

Related Articles

  • How to use www.pkitools.net for Resigning the DPI SSL Client Certificate.
    Read More
  • SSLVPN authentication with SAML and Google Workspace
    Read More
  • Certificate error when accessing certain websites when Client DPI-SSL is Enabled
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSv Series
Firewalls
SonicWall NSA Series
Firewalls
TZ Series
not finding your answers?
Ask the Community