Knowledgebase

Importing a Server Certificate and Chain into the SonicWALL SSL Offloader

Chained Certificates

All Sonic Wall SSL Offloaders support chained certificates. Once the certificates are unzipped into multiple certificates prior to importing into the SonicWALL SSL Offloader, the certificate will need to be imported using the chained certificate commands. The certificates will have a root certificate, and an intermediate CAcertificate in addition to the server/domain certificate.

EXAMPLE- Instructions for using OpenSSL

Now that you have received the certificate, you will need to unzip the certificates up into the root, intermediate and the servercertificates so that you can enter them into the SonicWALL SSLOffloader.

Start by unzipping the 4 certificates, you will only need the IntermediateCA file(UTNAddTrustServerCA.crt,PositiveSSLCA.crt) and your Site/Domain certificates.

Launch open ssl.exe. This application was installed at the same time and in the same location as the SonicWALL configuration manager. You can also run the install and just install OpenSSL by choosing the 'Custom Installation' option.

Once launched, open the first Intermediate CA(UTNAddTrustServerCA.crt) file and Site/Domain certificatesin a text editor

you will need to copy and paste the entire text including
-----BEGINCERTIFICATE-----
and
-----END CERTIFICATE-----

The Site/Domain certificate is the server certificate.
the intermediate CA file is the intermediary certificate.

Save these files (e.g. C:\server.pem and C:\inter.pem)

Verifythe certificate information with openssl:
x509 -in C:\server.pem-text
(and)
x509 -in :C\inter.pem -text

EXAMPLE- Setting Up the Chained Certificates

Now that you have the proper certificates, you start by loading the certificates into certificate objects. These separate certificateobjects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificateobjects, create a certificate group, and enable the use of the group as a certificate chain. The name of the Transaction Security deviceis myDevice. The name of the secure logical server is server1. The name of the PEM-encoded, CA generated certificate is server.pem; the name of the PEM-encoded certificate is inter.pem. The names of the recognized and local certificate objects are trusted Cert and myCert,respectively. The name of the certificate group is CACertGroup.

Start the configuration manager as described in the manual.

Attach the configuration manager and enter Configuration mode. (If an attach or configurationlevel password is assigned to the device, you are prompted to enter any passwords.)
inxcfg> attach my Device
inxcfg> configure myDevice
(config[myDevice])>

Enter SSL Configuration mode and create an intermediary certificate namedCACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSLConfiguration mode. (config[myDevice])>ssl
(config-ssl[myDevice])> cert myCertcreate
(config-ssl-cert[CACert])> peminter.pem
(config-ssl-cert[CACert])>end
(config-ssl[myDevice])>

Enter Key Association Configuration mode, load the PEM-encoded CAcertificate and private key files, and return to SSL Configurationmode.
(config-ssl[myDevice])> keyassoc localKeyAssoccreate
(config-ssl-keyassoc[localKeyAssoc])> pem server.pemkey.pem
(config-ssl-keyassoc[localKeyAssoc])>end
(config-ssl[myDevice])>

Enter Certificate Group Configuration mode, create the certificate groupCACertGroup, load the certificate object CACert, and return to SSLConfiguration mode.
(config-ssl[myDevice])> certgroupCACertGroup create
(config-ssl-certgroup[CACertGroup])> certmyCert
(config-ssl-certgroup[CACertGroup])>end
(config-ssl[myDevice])>

Enter Server Configuration mode, create the logical secure serverserver1,assign an IP address, SSL and clear text ports, a securitypolicy myPol, the certificate group CACertGroup, key associationlocalKeyAssoc, and exit to Top Level mode.(config-ssl[myDevice])>server server1 create
(config-ssl-server[server1])> ip address10.1.2.4 net mask 255.255.0.0
(config-ssl-server[server1])>sslport 443
(config-ssl-server[server1])> remote port81
(config-ssl-server[server1])> secpolicymyPol
(config-ssl-server[server1])> certgroup chainCACertGroup
(config-ssl-server[server1])> keyassoclocalKeyAssoc
(config-ssl-server[server1])>end
(config-ssl[myDevice])> end
(config[myDevice])>end
inxcfg>

Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used.
inxcfg> write flash myDevice
inxcfg>

Resources

Additional documents and technical notes on SonicWALL SSL can be found online athttp://www.sonicwall.com/