Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

SSL certificate re-issue

dc500dc500 Newbie ✭
edited March 27 in Entry Level Firewalls

I'm trying to figure out how to import or update a reissued SSL certificate. I bought a 3 year cert and it's our first annual "reissue". GoDaddy automatically issued new .crt and .pem files - I did not create a new CSR. I've seen other similar questions and the result was "I just created a new request". Great, except I get an error that the certificate name/alias is already in use so it won't let me create a new CSR. What's the right way to do this? Sonic OS 7

Category: Entry Level Firewalls
Reply

Answers

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    If you still have the private key then you can assemble them all in to a PKCS#12 file which you can import in to the firewall BUT it's not good practise to keep reusing the same private key!

    You need to use a slightly different name for your new CSR, I usually put the year in I'm requesting it.

  • dc500dc500 Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/23435#Comment_23435

    Thanks for the response. But doesn't the CSR have to use the DNS name? I can't change the DNS entry for this every time I update the cert, that doesn't make sense.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    I am not talking about the DN/CN/SAN, I am talking about the "name" of the certificate on the Sonicwall [the "Certificate" field here]:

    image.png
  • dc500dc500 Newbie ✭

    Thanks and sorry I'm not getting this. When I do "Create new signing request" I have to put the "Certificate Alias" first. I've always used my DNS name there. I don't have a place to change the "name" that I'm aware of?

    image.png
  • dc500dc500 Newbie ✭
    edited March 28

    Alright I feel like an idiot. The CA can be anything. The real DNS name with domain (FQDN) goes in the Common Name field.

  • dc500dc500 Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/23435#Comment_23435

    So just to clarify the rest of this - there's no point in getting a 3 year SSL certificate and reissuing the public key annually, should just be creating a new cert every year? Thanks and my apologies, this is the first time I had a new key reissued to me automatically so I wasn't sure how to handle it.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    So just to clarify the rest of this - there's no point in getting a 3 year SSL certificate and reissuing the public key annually, should just be creating a new cert every year?

    So long as you are rotating the private key regularly, it doesn't matter if you do it by creating a CSR on the firewall and importing the resulting files, or generating it externally and importing the PKCS#12 file.

  • dc500dc500 Newbie ✭
    https://community.sonicwall.com/technology-and-support/discussion/comment/23443#Comment_23443

    Thank you for your thorough response. I don't see any way to rotate or otherwise manage public vs private keys within the Sonicwall certificates so I'll just stick to generating a new CSR and rekey with our SSL provider for now. I appreciate your help.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @dc500 IMHO, don't waste any time with the onboard certificate management on the Firewall. Get yourself familar with a tool like XCA (https://www.hohnstaedt.de/xca/) and do your Key/Cert Managed in there. You can import/export as you like.

    It's mostly Drag&Drop from that point on. I'am using it daily and recommend it to anyone who likes to ease the burden of cert management.

    —Michael@BWC

Sign In or Register to comment.