Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

CSR pending , upload and installation of multi-domain SSL is not working

DOteroDOtero Newbie ✭

Good day all and wishing a Happy Healthy Safe New Year!

We have a tz600 firewall with 2 WANs that need to be enabled for HTTPS use of multi-domain certificate. We have generated the CSR and downloaded it to our Mac. This file is a .p10 format and while others have told me that a private key file is supposed to be generated along with the CSR, I can't locate it. Should there be one generated as my CSR indicates to use a 2048 bit key?

But wait, that is not the bottom line question. I am able to submit the CSR to my CA, which then goes through purchase, activation, and DCValidation. Now from the CA I download the .zip file containing the certificate. It contains 3 files: .crt, ca-bundle and .p7b. My CA vendor points me to this SonicWall article:

However, they make reference to a .cer and .key file which should be renamed to server.cer and server.key placed in a .zip file and then from my firewall System Certificates page select the Pending CSR and upload icon. Then choose the .zip file (created with .cer and .key) from my mac and proceed. My problem is as I mentioned I don't have a .key file and furthermore in the downloaded certificate .zip from my CA there is no .cer file.

Can anyone shed some light on what we are doing wrong and steer us on to right path?

I guess I should have started with a more basic question...Can we have enabled HTTPS for 2 WANs secured by a single multi-domain certificate on a tz600 firewall?


Kind Regards

Category: SSL VPN
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    Welcome to the fun of SSL certificates! I'm guessing you created the CSR on the Sonicwall? Since you did that, you won't have access to the private key. If you need to have the private key available to you, you'll have to generate the CSR in OpenSSL or use DigiCerts online tool to extract it.

    You can also use OpenSSL (or the Digicert tool i believe) to convert or otherwise manipulate the certificates to other formats or add additional certificates.

    If you are using the multi-domain SSL certificate for HTTPS Management or SSLVPN of the 2 WANs of the Sonicwall that should be no problem.

    Hope that helps.

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @DOtero

    a CSR usually never comes with the private key, because a CA does not and should not have your private key, ever, ever ever ever <just wanna making my point here :)>

    You can only have one certificate active on the appliance. but SAN certificate is fine. You need to import the cerficate chain and the issued certificate though.

    I don't generate the CSR (and private key therefore) on a system directly, I'am always going command line openssl or even better use XCA, my weapon of choice for every certificate related task. Maybe you start over and let the CA re-issue a new cert, shouldn't come with additional costs.

    --Michael@BWC

  • DOteroDOtero Newbie ✭

    Appreciate the quick, insightful and most of all helpful responses to my query.

    Here is an update on my issue.

    I was able to go to my System -> Certificates -> Imported certificates and requests page/table. For my pending CSR entry from the Configure column choose upload icon and in the dialogue choose my .crt file (downloaded in zip file from my CA vendor) for this CSR.

    With that, the pending CSR changed to Local Certificate and status of Validated-Yes, then an additional entry in the table shows my CA certificate.

    I then go to System-> Administration-> Web Management Settings and from the Certificate Selection drop down menu (which is now populated with my new CA certificate) choose the new multi-domain CA certificate and ACCEPT,

    That seems to have worked as I can now see both my FQDNs are secure.

    Thanks everyone!

  • LabdriverLabdriver Newbie ✭

    This discussion was helpful for me as it enabled me to resolve a couple of SSL issues. Here are a few more things I`ve found that took me hours to sort out ...

    1. SonicWall TZ series requires you to upload all the intermediate certificates (the last two on the screenshot) and you may need to create them (via exporting from the SSL bundle you will receive)
    2. In the screenshot above you will see a CSR (Pending request) and underneath it the SSL cert.
    3. Why is the CA cert not shown as validated?
    4. It is not sufficient just to upload the certificate. You need to link it to the pending request
    5. You do this by selecting the pending request and then uploading the cert, with that pending request selected

    I don`t think SonicWall have not done a good job with this. Why on earth should a user need to create the intermediate certs rather than SonicWall accepting a zip file of everything. Why does SonicWall not find the crt and link it to the CSR pending request...

    SSL certs are fairly complicated at the best of time and most of us only do it once or twice a year ...

  • @Labdriver,

    1) A browser usually lists most of the intermediate and root CA, but on SonicWall, we sometimes need to import the intermediate CA cert as not all of them are stored locally.

    2) Also multiple CSRs can be generated from the firewall due to which the corresponding signed cert needs to be uploaded as per the CSR generated.

    I apologize for the inconvenience you had to face. Please use the following KB for reference.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

Sign In or Register to comment.