Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

2025 - Fun with Short-Lived Certificates

BWCBWC Cybersecurity Overlord ✭✭✭
in Water Cooler

Hi,

the upcoming year will be a challenge for all of us who are handling with Certificates. The current maximum lifetime of 398 days wasn't fun at first, but we managed. Solutions with a built-in ACME client (mostly with Lets Encrypt) do not cause any trouble, but every other deployment needs to be addressed manually or automated otherwise.

The proposals from Google (90 days) and Apple (45-47 days) are in the race, but ISRG drops the hammer with a 6 days max lifetime.

This brings us to the elephant in the room, how to manage this intensified situation on SonicWall Firewall Appliances for SSL-VPN/Virtual Office or on SonicWall Email Security? Both of them do not come with an ACME client (but requested for years).

Cloud Secure Edge got you covered, but it may not fit for all as replacement of SSL-VPN.

Running a private CA can help, but is not for everyone. Private issued certs can have a longer lifetime (not valid for Safari), but the burden of maintaining and distributing the CA brings other challenges with it.

So SonicWall, whats the plan? Any ETA of getting WireGuard in SonicOS (except for CSE)? How about an ACME client for Lets Encrypt?

We need answers and solutions rather quick.

All the best from Würzburg and I wish all of our Community a happy, peaceful and healthy 2025.

—Michael@BWC

Category: Water Cooler
Reply

Comments

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    For others looking for reference:

    https://letsencrypt.org/2024/12/11/eoy-letter-2024/

    https://www.globalsign.com/en/blog/90-days-to-47-certificate-lifespans-and-automation

    The lack of Lets Encrypt / ACME support with Sonicwall has been a pain point for us for years now.

    Can @Vivek or @Community Manager chime in?

  • MAKMAK Newbie ✭

    It is unfortunate that SonicWall firewalls do not support the ACME protocol, and I am not aware if this feature is on their product roadmap. However, I propose the following solution for managing certificates:

    • Install CertBot on a Linux host.
    • Run CertBot to generate or renew the certificate from Let's Encrypt.
    • Convert the certificate to PFX or P12 format.
    • Use the SonicOS API to upload the PFX/P12 certificate to the firewall.
    • Using SonicOS API, select the uploaded certificate for Management/SSLVPN.

    These steps can be automated with a script or program and applied periodically to all firewalls in scope.

Sign In or Register to comment.