System_Certificates
This section provides an overview of the System > Certificates page and a description of the configuration tasks available on this page.
• System > Certificates Overview
• Generating a Certificate Signing Request
• Viewing and Editing Certificate Information
• Adding Additional CA Certificates
System > Certificates Overview
The System > Certificates page allows the administrator to import server certificates and additional CA (Certificate Authority) certificates.
Server Certificates
The Server Certificates section allows the administrator to import and configure a server certificate, and to generate a CSR (certificate signing request).
A server certificate is used to verify the identity of the SRA appliance. The appliance presents its server certificate to the user’s browser when the user accesses the login page. Each server certificate contains the name of the server to which it belongs.
There is always one self-signed certificate (self-signed means that it is generated by the SRA appliance, not by a real CA), and there may be multiple certificates imported by the administrator. If the administrator has configured multiple portals, it is possible to associate a different certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reached by pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have its own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning, such as “This server is abc, but the certificate is xyz, are you sure you want to continue?”.
A CSR is a certificate signing request. When preparing to get a certificate from a CA, you first generate a CSR with the details of the certificate. Then the CSR is sent to the CA with any required fees, and the CA sends back a valid signed certificate.
Additional CA Certificates
The Additional CA Certificates section allows the administrator to import additional certificates from a Certificate Authority server, either inside or outside of the local network. The certificates are in PEM encoded format for use with chained certificates, for example, when the issuing CA uses an intermediate (chained) signing certificate.
The imported additional certificates only take effect after restarting the SRA appliance.
The SRA appliance comes with a pre-installed self-signed X509 certificate for SSL functions. A self-signed certificate provides all the same functions as a certificate obtained through a well-known certificate authority (CA), but will present an “untrusted root CA certificate” security warning to users until the self-signed certificate is imported into their trusted root store. This import procedure can be performed by the user by clicking the Import Certificate button within the portal after authenticating.
The alternative to using the self-signed certificate is to generate a certificate signing request (CSR) and to submit it to a well-known CA for valid certificate issuance. Well-known CAs include RapidSSL (www.rapidssl.com), Verisign (www.verisign.com), and Thawte (www.thawte.com).
Note Beginning in SRA 6.0, Virtual Assist verifies the server certificate, which provides a safer environment for the appliance. If the certificate is not issued by an authorized organization, an alert message is displayed to notify the user of the risk. The user can view detailed information about the server certificate and choose to continue or end the connection