System > Certificates

To implement the use of certificates for VPN policies, you must locate a source for a valid CA certificate from a third party CA service. Once you have a valid CA certificate, you can import it into the SonicWALL security appliance to validate your Local Certificates. You import the valid CA certificate into the SonicWALL security appliance using the System > Certificates page. Once you import the valid CA certificate, you can use it to validate your local certificates.

Topics:

Digital Certificates Overview

Certificates and Certificate Requests

Certificate Details

Importing Certificates

Deleting a Certificate

Generating a Certificate Signing Request

Configuring Simple Certificate Enrollment Protocol

Digital Certificates Overview

A digital certificate is an electronic means to verify identity by a trusted third party known as a Certificate Authority (CA). The X.509 v3 certificate standard is a specification to be used with cryptographic certificates and allows you to define extensions which you can include with your certificate. SonicWALL has implemented this standard in its third party certificate support.

You can use a certificate signed and verified by a third party CA to use with an IKE (Internet Key Exchange) VPN policy. IKE is an important part of IPsec VPN solutions, and it can use digital certificates to authenticate peer devices before setting up SAs. Without digital certificates, VPN users must authenticate by manually exchanging shared secrets or symmetric keys. Devices or clients using digital signatures do not require configuration changes every time a new device or client is added to the network.

A typical certificate consists of two sections: a data section and a signature section. The data section typically contains information such as the version of X.509 supported by the certificate, a certificate serial number, information about the user’s public key, the Distinguished Name (DN), validation period for the certificate, and optional information such as the target use of the certificate. The signature section includes the cryptographic algorithm used by the issuing CA, and the CA digital signature.

SonicWALL security appliances interoperate with any X.509v3-compliant provider of Certificates. SonicWALL security appliances have been tested with the following vendors of Certificate Authority Certificates:

• Entrust

• Microsoft

• OpenCA

• OpenSSL

• VeriSign

 

Note For the HTTPS management self-signed certificate, when running on an ADTRAN NetVanta unit, SonicOS will continue to use an ADTRAN specific HTTPS management self-signed certificate.

Certificates and Certificate Requests

The Certificate and Certificate Requests section provides all the settings for managing CA and Local Certificates.

The View Style menu allows you to display your certificates in the Certificates and Certificate Requests table based on the following criteria:

All Certificates - displays all certificates and certificate requests.

Imported certificates and requests - displays all imported certificates and generated certificate requests.

Built-in certificates - displays all certificates included with the SonicWALL security appliance.

Include expired and built-in certificates - displays all expired and built-in certificates.

The Certificates and Certificate Requests table displays the following information about your certificates:

Certificate - the name of the certificate.

Type - the type of certificate, which can include CA certificate or Local certificate.

Validated - the validation information.

Expires - the date and time the certificate expires.

Details - the details of the certificate. Moving the cursor over the Comment icon_comment.png icon displays the details of the certificate.

Configure - displays the Delete icon_delete.png icon for deleting a certificate entry and the Import/Download icon_download.png icon to import either certificate revocation lists (for CA certificates) or signed certificates (for Pending requests).

Certificate Details

Hovering the mouse over the comment icon in the Details column of the Certificates and Certificate Requests table displays a popup with information about the certificate, which may include the following, depending on the type of certificate:

• Certificate Issuer

• Subject Distinguished Name

• Certificate Serial Number

• Valid from

• Expires On

• Status (for Pending requests and local certificates)

• CRL Status (for Certificate Authority certificates)

The details shown in the Details popup depend on the type of certificate. Certificate Issuer, Certificate Serial Number, Valid from, and Expires On are not shown for Pending requests as this information is generated by the Certificate provider. Similarly, CRL Status information is shown only for CA certificates and varies depending on the CA certificate configuration.

Importing Certificates

After your CA service has issued a Certificate for your Pending request, or has otherwise provided a Local Certificate, you can import it for use in VPN or Web Management authentication. CA Certificates may also be imported to verify local Certificates and peer Certificates used in IKE negotiation.

Topics:

Importing a Certificate Authority Certificate

Importing a Local Certificate

Importing a Certificate Authority Certificate

To import a certificate from a certificate authority, perform these steps:

1. Click the Import button at the bottom of the certificate table.

The Import Certificate window is displayed.

2. Select Import a CA certificate from a PKCS#7 (*.p7b) or DER (.der or .cer) encoded file. The Import Certificate window settings change.

3. Enter the path to the certificate file in the Please select a file to import field or click Browse to locate the certificate file, and then click Open to set the directory path to the certificate.

4. Click Import to import the certificate into the SonicWALL security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests table.

5. Moving your pointer to the icon_comment00083.png icon in the Details column displays the certificate details information.

Importing a Local Certificate

To import a local certificate, perform these steps:

1. Click Import. The Import Certificate window is displayed.

2. Enter a certificate name in the Certificate Name field.

3. Enter the password used by your Certificate Authority to encrypt the PKCS#12 file in the Certificate Management Password field.

4. Enter the path to the certificate file in the Please select a file to import field or click Browse to locate the certificate file, and then click Open to set the directory path to the certificate.

5. Click Import to import the certificate into the SonicWALL security appliance. Once it is imported, you can view the certificate entry in the Certificates and Certificate Requests table.

6. Moving your pointer to the icon_comment00085.png icon in the Details column displays the certificate details information.

Deleting a Certificate

You can delete a certificate if it has expired or if you decide not to use third party certificates for VPN authentication. To delete the certificate, do one of these:

• Click the Delete icon for the certificate in the Certificate table.

• Select the checkbox for the certificate and then click the Delete button at the bottom of the Certificate table.

You can delete all certificates by clicking the Delete All button at the bottom of the Certificate table.

Generating a Certificate Signing Request

Tip You should create a Certificate Policy to be used in conjunction with local certificates. A Certificate Policy determines the authentication requirements and the authority limits required for the validation of a certificate.

To generate a local certificate, follow these steps:

1. Click the New Signing Request button at the bottom of the Certificate table. The Certificate Signing Request window is displayed.

2. In the Generate Certificate Signing Request section, enter an alias name for the certificate in the Certificate Alias field.

3. Enter information for the certificate in the Request fields.

Note For each Request, you can select from a drop-down menu the type of information to enter. Select your country from the drop-down menu; for all other Requests, enter the information in the text field.

Country

Country

State

Locality or County

Company or Organization

State

State

Locality, City, or County

Company or Organization

Department

Locality, City, or County

Locality, City, or County

Company or Organization

Department

Group

Team

Company or Organization

Company or Organization

Department

Group

Team

Common Name

Serial Number

E-Mail Address

Department

Department

Group

Team

Common Name

Serial Number

E-Mail Address

Group

Group

Team

Common Name

Serial Number

E-Mail Address

Team

Team

Common Name

Serial Number

E-Mail Address

Common Name

Common Name

Serial Number

E-Mail Address

As you enter information in the Request fields, the Distinguished Name (DN) is created in the Subject Distinguished Name field.

4. You can also enter an optional Subject Alternative Name to the certificate after selecting the type from the drop-down menu:

Domain Name

E-Mail Address

IPv4 Address

5. The Subject Key type is preset as an RSA algorithm. RSA is a public key cryptographic algorithm used for encrypting data.

6. Select a Subject Key size from the Subject Key Size drop-down menu:

1024 bits (default)

1536 bits

2048 bits

4096 bits

Note Not all key sizes are supported by a Certificate Authority; therefore, you should check with your CA for supported key sizes.

7. Click Generate to create a certificate signing request file.

Once the Certificate Signing Request is generated, a message describing the result is displayed in the Status area at the bottom of the browser window and a new entry appears in the Certificate table with the type Pending request.

8. Click the Export icon_export.png icon to download the file to your computer, then click Save to save it to a directory on your computer.

You have generated the Certificate Request that you can send to your Certificate Authority for validation.

Configuring Simple Certificate Enrollment Protocol

The Simple Certificate Enrollment Protocol (SCEP) is designed to support the secure issuance of certificates to network devices in a scalable manner. There are two enrollment scenarios for SCEP:

• SCEP server CA automatically issues certificates

• SCEP request is set to PENDING and the CA administrator manually issues the certificate.

More information about SCEP can be found at:

http://tools.ietf.org/html/draft-nourse-scep-18

Microsoft SCEP Implementation Whitepaper

To use SCEP to issue certificates, follow these steps:

1. Generate a signing request as described above in the Generating a Certificate Signing Request.

2. Scroll to the bottom of the System > Certificates page and click on the SCEP button. The SCEP Configuration window displays.

3. In the CSR List pull-down menu, the UI will automatically select a default CSR list. If you have multiple CSR lists configured, you can modify this. Select the certificate to be configured.

4. In the CA URL field, enter the URL for the Certificate authority.

5. In the Challenge Password(optional) field, enter the password for the CA if one is required.

6. In the Request Count field, enter the number of requests. The default is 256.

7. In the Polling Interval(S) field, you can specify the duration of time, in seconds, in between when polling messages are sent. The default value is 30.

8. In the Max Polling Time(S) field, you can specify the duration of time in seconds the firewall will wait for a response to a polling message before timing out. The default value is 28800

9. Click the Scep button to submit the SCEP enrollment.

The firewall will then contact the CA to request the certificate. The duration of time this will take depends on whether the CA issues certificates automatically or manually. The Log View section of the Dashboard > Log Monitor page will display messages on the status of the SCEP enrollment and issuance of the certificate. After the certificate is issued, it will be displayed in the list of available certificates on the System > Certificates page.