SSL Certificate PKI-validation
billmayer Newbie ✭
I'm trying to install an SSL certificate on my Sonicwall firewall so that I can resolve a vulnerability reported by CISA in their weekly scans. However, it seems that in order to get the cert installed the provider requires access to a PKI-validation file. I can understand how this works in IIS with a server file but how do I get a validation/confirmation for the provider when there's only the Sonicwall and no web server behind it?
Category: Entry Level Firewalls
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.
@billmayer if you are referring to the CA (Certificate Authority), as the Provider, all you need is the CSR (Certificate Signing Request), which can be either generated on the firewall or with third party tools such as OpenSSL, PowerShell etc. If you are referring to something different, please clarify and share more details.
Thanks for the quick response. Here are the vulnerabilities identified by CISA:
What is your recommendation to resolve these related to SSL? Additionally thoughts on resolving the TLS vulnerability?
But perhaps what would be even more secure than either of those would be to restrict access to the firewall so that it cannot be reached from the internet. There is definitely no need for management to be open to everywhere, but if you're using the SSLVPN service on the firewall then you cannot turn that off.
If you are not using either HTTPS or SSLVPN, then simply disable those services.
Don't leave access to the HTTPS Management and/or the the SSLVPN Ports wide open. Use WAN to WAN Access Rule to limit based on source IP addresses. If you have remote users utilizing SSLVPN and they have changing public IPs, you can use Dynamic DNS client applications to identify remote users' public IP addresses and still limit access with the WAN to WAN Access Rule based on the Dynamic DNS names of the remote users.
If you want to use HTTPS Management and/or SSLVPN Ports, and leave it wide open, then purchase a CA-signed certificate instead of using the self-signed certificate.
On the firewall you have the option to disable TLS 1.1 and even you can select which ciphers to use/block under Cipher Control.
HTTPS and SSLVPN are not enabled on the WAN interface yet I'm still getting the errors identified by CISA as shown previously. Any other suggestions will be greatly appreciated.
@billmayer , please check the scanned port that is associated to the report? Do you have any port forwarding for that? Also, please ensure the report is for the correct firewall. Trust me, I've seen such mistakes, and not limited with few.
Otherwise, create a web case and attach the Scan Report, TSR, and EXP files to be reviewed.