Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

CSR pending , upload and installation of multi-domain SSL is not working

DOteroDOtero Newbie ✭

Good day all and wishing a Happy Healthy Safe New Year!

We have a tz600 firewall with 2 WANs that need to be enabled for HTTPS use of multi-domain certificate. We have generated the CSR and downloaded it to our Mac. This file is a .p10 format and while others have told me that a private key file is supposed to be generated along with the CSR, I can't locate it. Should there be one generated as my CSR indicates to use a 2048 bit key?

But wait, that is not the bottom line question. I am able to submit the CSR to my CA, which then goes through purchase, activation, and DCValidation. Now from the CA I download the .zip file containing the certificate. It contains 3 files: .crt, ca-bundle and .p7b. My CA vendor points me to this SonicWall article:

However, they make reference to a .cer and .key file which should be renamed to server.cer and server.key placed in a .zip file and then from my firewall System Certificates page select the Pending CSR and upload icon. Then choose the .zip file (created with .cer and .key) from my mac and proceed. My problem is as I mentioned I don't have a .key file and furthermore in the downloaded certificate .zip from my CA there is no .cer file.

Can anyone shed some light on what we are doing wrong and steer us on to right path?

I guess I should have started with a more basic question...Can we have enabled HTTPS for 2 WANs secured by a single multi-domain certificate on a tz600 firewall?


Kind Regards

Category: SSL VPN
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Enthusiast ✭✭
    Accepted Answer

    Welcome to the fun of SSL certificates! I'm guessing you created the CSR on the Sonicwall? Since you did that, you won't have access to the private key. If you need to have the private key available to you, you'll have to generate the CSR in OpenSSL or use DigiCerts online tool to extract it.

    You can also use OpenSSL (or the Digicert tool i believe) to convert or otherwise manipulate the certificates to other formats or add additional certificates.

    If you are using the multi-domain SSL certificate for HTTPS Management or SSLVPN of the 2 WANs of the Sonicwall that should be no problem.

    Hope that helps.

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @DOtero

    a CSR usually never comes with the private key, because a CA does not and should not have your private key, ever, ever ever ever <just wanna making my point here :)>

    You can only have one certificate active on the appliance. but SAN certificate is fine. You need to import the cerficate chain and the issued certificate though.

    I don't generate the CSR (and private key therefore) on a system directly, I'am always going command line openssl or even better use XCA, my weapon of choice for every certificate related task. Maybe you start over and let the CA re-issue a new cert, shouldn't come with additional costs.

    --Michael@BWC

  • DOteroDOtero Newbie ✭

    Appreciate the quick, insightful and most of all helpful responses to my query.

    Here is an update on my issue.

    I was able to go to my System -> Certificates -> Imported certificates and requests page/table. For my pending CSR entry from the Configure column choose upload icon and in the dialogue choose my .crt file (downloaded in zip file from my CA vendor) for this CSR.

    With that, the pending CSR changed to Local Certificate and status of Validated-Yes, then an additional entry in the table shows my CA certificate.

    I then go to System-> Administration-> Web Management Settings and from the Certificate Selection drop down menu (which is now populated with my new CA certificate) choose the new multi-domain CA certificate and ACCEPT,

    That seems to have worked as I can now see both my FQDNs are secure.

    Thanks everyone!

Sign In or Register to comment.