Certificate on port 443 and 4433
Hi Team,
I have a sonicwall NSa2560 firewall in which i want to implement my company SSL certificate, i have imported the certificate but it is not showing and always shows the error through scanning that SSL certificate cannot be trusted as only self signed certificate is showing in the firewall.
Category: SSL VPN
0
Answers
@shwazh if the certificate is issued by a public CA (like Sectigo, etc.) most likely you did not imported the intermediate certificates as well. The whole certificate chain needs to be available to the firewall, otherwise only the cert will be treated as self signed, because the signer is unknown.
—Michael@BWC
Hi @BWC,
Any article or steps for the same?
Have a look over here, this should give you an impression.
https://www.sonicwall.com/support/knowledge-base/imported-certificates-not-validating/170504637875973
—Michael@BWC
Hi @BWC
I have followed all the steps but it is not working.
Could you confirm the source of the CSR? Was it generated on the firewall, or was it created externally?
It was created externally
@shwazh you don't have the intermediate certs imports, this is why it fails (probably).
Just google for something like this: "openssl create pfx from pem with chain" … you need all the intermediate certs (for the Sub CAs), your server cert and the private key.
There are even tools around if you don't like to tinker with the command line. Look for XCA, which is IMHO by far the best fantastic stunning and terrific tool for that. More passion for a product you cannot squeeze out of a German, which should tell you how much I like it.
—Michael@BWC
@shwazh , if you have created the CSR externally then you have two options. Loading only the intermediate and/or the root certificates will not work, since you created the CSR externally and hence the private key is unknown to the firewall. Keep in mind, certificates are based on private-public key encryption concept.
You can use OpenSSL or PowerShell to create those files, and other third party tools may be available to do the same job. OpenSSL is very common and you can install it on Windows hosts. As a matter of fact it is probably the most common package used on any device. SonicWall firewalls and other devices such as SMA are utilizing OpenSSL. For PowerShell there is a "certutil" command available and you have to search how to use it. Here are the OpenSSL commands you need to utilize.
PFX Certificate:
openssl pkcs12 -export -out your-domain.pfx -inkey your-private-key.key -in your-signed-certificate.crt
P12 Certificate:
openssl pkcs12 -export -out your-domain.p12 -inkey your-private-key.pem -in fullchain-certificate.pem
The CA Authority provides you the "fullchain-certificate.pem" file (file name may be different obviously), which is basically the signed certificate, intermediate , and root certificates in a single encoded file.
Once you have one of those files (your-domain.pfx or your-domain.p12) available, you can upload it to your firewall and then select the certificate for firewall management or SSLVPN service. When you utilize the P12 certificate, you don't need to upload any intermediate/root certificate on the firewall. This may not be the case for PFX certificate. If the root/intermediate certificate of the signed certificate is not already available on the firewall, then you need to upload them.
I hope this gives you some insight.