How can I enable client Certificate check for HTTPS management on the SonicWall?

To further secure the HTTPS access of the SonicWall management GUI, in addition to the username/password authentication, system administrators can enable Client Certificate Check.

The SonicWall Client Certificate Check was developed for use with a Common Access Card (CAC). However, it can be used to enforce a client certificate on any HTTPS management request. The difference being, with a CAC the client certificate is automatically installed on the browser and without a CAC the client certificate must be manually imported into the browser.

This article describes how to enable Client Certificate Check in the SonicWall and how to import a client certificate into the web browser.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

SonicWall configuration

1. Login to the SonicWall management GUI.
2. Navigate to Manage | Appliance | Certificates.
3. Import the certificate to be used for management.
4. Navigate to Manage | Appliance | Base Settings page.
5. Under Web Management settings, enable check box Enable Client Certificate check.
6. The Client Certificate Issuer drop-down menu contains a list of the Certification Authority (CA) certificates that are available in the SonicWall certificate store. If the appropriate CA is not in the list, you need to import that CA into the SonicWall security appliance.\
7. Enabling the Enable OCSP Checking check box enables Online Certificate Status Protocol (OCSP) to verify that the client certificate is still valid and has not been revoked.
8. The OCSP Responder URL field is optional; only to be filled-in if an OCSP URL is not embedded within the certificate.
9. Click Accept.
10. The following screenshots show an internal CA certificate being imported before setting that certificate as Client Certificate Issuer for client certificate check. 
    
    
11. When a web browser tries to access the SonicWall HTTPS management without an appropriate certificate, the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is not found, the SonicWall refuses the connection and the browser displays a standard page cannot be displayed message.

 CAUTION: When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance.

• Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
• Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
• Enable OCSP Checking is enabled, but either the OCSP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OCSP server.

The following CLI commands restore access to a user who is locked out. These commands must be issued within the configuration mode and after logging into the CLI.
 

> administration //enter the administration console
> no web-management client-certificate-check // disable client certificate check
> commit //apply changes  
> exit

If the problem is due to OCSP then issue the following commands to disable OCSP checking alone, without disabling client certificate check. If client certificate check is disabled, the option to enable or disable OCSP is not available to the user. 
 

> no web-management ocsp-check  // disable OCSP checking
> commit //apply changes  
> exit

Import client certificate into a web browser

The following points must be kept in mind before importing the client certificate into a browser.

• The certificate must be signed by the same CA selected for client certificate checking in the SonicWall Administration page.
• The certificated must be in a container along with its private key, and optionally the CA certificate. For example, .p12 or .pfx extensions.
• If the CA certificate is not part of the container then it must be separately imported.

The following screenshots show a certificate with .pfx extension and its CA certificate being imported into the Firefox browser:

















Log into the SonicWall

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

SonicWall configuration

1. Login to the SonicWall management GUI.
2. Navigate to the System | Administration page.
3. Under Web Management settings, enable check box Enable Client Certificate Check.
4. The Client Certificate Issuer drop-down menu contains a list of the Certification Authority (CA) certificates that are available in the SonicWall certificate store. If the appropriate CA is not in the list, you need to import that CA into the SonicWall security appliance.
5. Enabling the Enable OCSP Checking check box enables Online Certificate Status Protocol (OCSP) to verify that the client certificate is still valid and has not been revoked.
6. The OCSP Responder URL field is optional; only to be filled-in if an OCSP URL is not embedded within the certificate.
7. Click  Accept.
8. The following screenshots show an internal CA certificate being imported before setting that certificate as Client Certificate Issuer for client certificate check.  
   
   
9. When a web browser tries to access the SonicWall HTTPS management without an appropriate certificate, the SonicWall security appliance checks the Client Certificate Issuer to verify that the client certificate is signed by the CA. If a match is not found, the SonicWall refuses the connection and the browser displays a standard page cannot be displayed message.

CAUTION: When using the client certificate feature, these situations can lock the user out of the SonicWall security appliance.

• Enable Client Certificate Check is checked, but no client certificate is installed on the browser.
• Enable Client Certificate Check is checked and a client certificate is installed on the browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate Issuer is selected.
• Enable OCSP Checking is enabled, but either the OCSP server is not available or a network problem is preventing the SonicWall security appliance from accessing the OCSP server.

The following CLI commands restore access to a user who is locked out. These commands must be issued within the configuration mode and after logging into the CLI.
 

> administration //enter the administration console
> no web-management client-certificate-check // disable client certificate check
> commit //apply changes 
> exit

If the problem is due to OCSP then issue the following commands to disable OCSP checking alone, without disabling client certificate check. If client certificate check is disabled, the option to enable or disable OCSP is not available to the user. 
 

> no web-management ocsp-check  // disable OCSP checking
> commit //apply changes 
> exit

Import client certificate into a web browser

The following points must be kept in mind before importing the client certificate into a browser.

• The certificate must be signed by the same CA selected for client certificate checking in the SonicWall Administration page.
• The certificated must be in a container along with its private key, and optionally the CA certificate. For example, .p12 or .pfx extensions.
• If the CA certificate is not part of the container then it must be separately imported.

The following screenshots show a certificate with .pfx extension and its CA certificate being imported into the Firefox browser:


















Log into the SonicWall