How can I create a DPI-SSL certificate for the purpose of DPI-SSL certificate resigning?

10/14/2021 480 People found this article helpful 484,372 Views

Description

SonicWall DPI-SSL is a proxy for SSL connections, acting as a intermediary to provide secure connections between the client PC and the secure website. The SonicWall DPI-SSL accepts the certificate offered by the secure website and re-signs the certificate before sending it to the client's browser. The SonicWall DPI-SSL services is acting as a client when it accepts the secure websites certificate and then acts as a Certificate Authority (CA) when it resigns the websites certificate before sending it to the PC. To establish trust between the client PC and SonicWall DPI-SSL, the SonicWall DPI-SSL CA certificate must be installed in the client's Trusted Root Certification Authorities store.

Resolution

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

The SonicWall has two types of certificates

Certificate for HTTPS management
- The self signed certificate for HTTPS management is also called the device certificate.
- The self signed device certificate can be replaced with a signed device certificate.
- The HTTPS management certificate is unrelated to the DPI-SSL CA certificate
DPI-SSL certificate
- The DPI-SSL CA certificate use for establishing trust between a client PC and SonicWall DPI-SSL.
- The default SonicWall DPI-SSL CA certificate is used for certificate re-signing.
- In some cases the customer may decide to replace the default DPI-SSL CA certificate.
If you decide to replace the default SonicWall DPI-SSL CA certificate, make sure that the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.

Here is the Default SonicWall DPI-SSL CA certificate with Key Usage for Certificate Signing

What are my options if I choose to replace the Default SonicWall DPI-SSL CA certificate?

You cannot request a DPI-SSL CA certificate from a commercial certificate authority.
- Commercial certificate authorities will not issue certificates with Certificate Signing or Certificate Re-signing authority.
You can create certificates from a private Certificate Authority Server.
- The customer chooses to implement their own Certificate Authority servers such as a Microsoft Certificate Authority Server or an OpenSSL CA server.
- The customer may also choose to replace the SonicWall self signed HTTPS management certificate with a certificates issued by their own Certificate Authority server.
- The customer may also choose to replace the default SonicWall DPI-SSL CA certificate, the replacement CA certificate must have Certificate Signing or Certificate Re-signing authority.

Generating a Certificate Enrollment Request (CER)

Navigate to Manage | Appliance | Certificates and click New signing Request.
Complete the Generate Certificate Signing Request form and select Generate.

NOTE: A minimum of SHA256 and 2048 bits is required.

Export the pending Certificate Enrollment Request (CER)

Navigate to System | Certificates and select your certificate pending request Configure button.
Click Export in your Export Certificate Request Popup.

Open the export file with notepad for temporary storage

Go to Microsoft CA Server and request a certificate

Request a certificate.
Submit and advanced certificate request.
Click advanced certificate request.

Request a certificate that has re-signing capability and here we are using the "Subordinate Certification Authority" template as an example

Paste Certificate Enrollment Request text (from your WordPad file) into the Saved Request box.
In the Certificate Template drop down menu, select the Subordinate Certification Authority template.
A Subordinate CA template has certificate re-signing capability.
Do Not use the Web Server template (This template cannot do re-signing).
Click Submit.

Download from the Microsoft CA Server and save to a local file

Select the option Download certificate chain.
Save the certificate (the file default name is certnew.p7b, rename if needed).

Complete the certificate enrollment on SonicWall by uploading the newly issued certificate

Navigate to System | Certificates and select your certificate pending request Configure button.
Browse to new certificate file.
Select file.
Upload file.

Import the DPI-SSL CA root certificate to SonicWall

Download and save the CA root certificate.
Navigate to System | Certificates and select Import.
Browse to CA certificate file.
Select file.
Upload file.

View the imported certificate under DPI-SSL | Client SSL

The newly installed CA certificate is available for DPI-SSL services.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.