Selecting the Re-Signing Certificate Authority

By default, DPI-SSL uses the Default SonicWall DPI-SSL CA Certificate to re-sign traffic that has been inspected. Optionally, users can specify that another CA certificate will be used.

For help with creating PKCS-12 formatted files, see Creating a PKCS-12 Formatted Certificate File.

Topics:
Importing the Certificate
Adding Trust to the Browser
Creating a PKCS-12 Formatted Certificate File
Importing the Certificate

To use a custom CA certificate, you must first import the certificate to the SonicWall network security appliance:

1
Navigate to the System > Certificates page.
2
Click Import Certificate.
3
Select the Import a local end-user certificate with private key from a PKCS#12 (.p12 or .pfx) encoded file option.
4
Choose password and click Import.

After the certificate has been imported, you must configure it on the Client DPI-SSL page:

5
Navigate to the DPI-SSL > Client SSL page.
6
Scroll down to the Certificate Re-Signing Authority section and select the certificate from the drop-down menu.
7
Click Apply.
Adding Trust to the Browser

For a re-signing certificate authority to successfully re-sign certificates, browsers have to trust the certificate authority. Such trust can be established by having the re-signing certificate imported into the browser's trusted CA list. Follow your browser’s instructions for importing re-signing certificates.
Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.
Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.
Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
Creating a PKCS-12 Formatted Certificate File

PKCS12 formatted certificate files can be created using Linux system with OpenSSL. To create a PKCS-12 formatted certificate file, one needs to have two main components of the certificate:

Private key (typically a file with .key extension or the word key in the filename)
CA Certificate with a public key (typically a file with .crt extension or the word cert as part of filename).

For example, Apache HTTP server on Linux has its private key and certificate in the following locations:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt

With these two files available, run the following command:

openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt

In this example out.p12 will become the PKCS-12 formatted certificate file and server.key and server.crt are the PEM formatted private key and the certificate file respectively.

After the above command, one would be prompted for the password to protect/encrypted the file. After the password is chosen, the creation of PKCS-12 formatted certificate file is complete and it can be imported into the firewall.