Chained Certificates
All SonicWALL SSL Offloaders
support chained certificates. Once the certificates
are unzipped into multiple certificates prior to
importing into the SonicWALL SSL Offloader, the
certificate will need to be imported using the
chained certificate commands. The certificates will
have a root certificate, and an intermediate
certificate in addition to the CA server
certificate.
EXAMPLE - Instructions for using
OpenSSL
Now that you have received the
certificate, you will need to unzip the certificates
up into the root, intermediate and the server
certificates so that you can enter them into the
SonicWALL SSL Offloader.
Start by unzipping the 3
certificates, you will only need the
ComodoSecurityServicesCA.crt and domain.crt
certificates.
Launch openssl.exe. This
application was installed at the same time and in
the same location as the SonicWALL configuration
manager. You can also run the install and just
install OpenSSL by choosing the 'Custom
Installation' option.
Once launched, open the
ComodoSecurityServicesCA.crt and domain.crt
certificates in a text editor
You will need to copy and paste
the entire text including
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
The domain.crt certificate is the
server certificate.
The ComodoSecurityServicesCA.crt is the intermediary
certificate.
Save these files (e.g.
C:\server.pem and C:\inter.pem)
Verify the certificate information
with openssl:
x509 -in C:\server.pem -text
(and)
x509 -in :C\inter.pem -text
EXAMPLE - Setting Up the Chained
Certificates
Now that you have the proper
certificates, you start by loading the certificates
into certificate objects. These separate certificate
objects are then loaded into a certificate group.
This example demonstrates how to load two
certificates into individual certificate objects,
create a certificate group, and enable the use of
the group as a certificate chain. The name of the
Transaction Security device is myDevice. The name of
the secure logical server is server1. The name of
the PEM-encoded, CA generated certificate is
server.pem; the name of the PEM-encoded certificate
is inter.pem. The names of the recognized and local
certificate objects are trustedCert and myCert,
respectively. The name of the certificate group is
CACertGroup.
Start the configuration manager as
described in the manual.
Attach the configuration manager
and enter Configuration mode. (If an attach or
configurationlevel password is assigned to the
device, you are prompted to enter any passwords.)
inxcfg> attach myDevice
inxcfg> configure myDevice
(config[myDevice])>
Enter SSL Configuration mode and
create an intermediary certificate named CACert,
entering into Certificate Configuration mode. Load
the PEM-encoded file into the certificate object,
and return to SSL Configuration mode.
(config[myDevice])> ssl
(config-ssl[myDevice])> cert myCert create
(config-ssl-cert[CACert])> pem inter.pem
(config-ssl-cert[CACert])> end
(config-ssl[myDevice])>
Enter Key Association
Configuration mode, load the PEM-encoded CA
certificate and private key files, and return to SSL
Configuration mode.
(config-ssl[myDevice])> keyassoc localKeyAssoc
create
(config-ssl-keyassoc[localKeyAssoc])> pem server.pem
key.pem
(config-ssl-keyassoc[localKeyAssoc])> end
(config-ssl[myDevice])>
Enter Certificate Group
Configuration mode, create the certificate group
CACertGroup, load the certificate object CACert, and
return to SSL Configuration mode.
(config-ssl[myDevice])> certgroup CACertGroup create
(config-ssl-certgroup[CACertGroup])> cert myCert
(config-ssl-certgroup[CACertGroup])> end
(config-ssl[myDevice])>
Enter Server Configuration mode,
create the logical secure server server1,assign an
IP address, SSL and clear text ports, a security
policy myPol, the certificate group CACertGroup, key
association localKeyAssoc, and exit to Top Level
mode. (config-ssl[myDevice])> server server1 create
(config-ssl-server[server1])> ip address 10.1.2.4
netmask 255.255.0.0
(config-ssl-server[server1])> sslport 443
(config-ssl-server[server1])> remoteport 81
(config-ssl-server[server1])> secpolicy myPol
(config-ssl-server[server1])> certgroup chain
CACertGroup
(config-ssl-server[server1])> keyassoc localKeyAssoc
(config-ssl-server[server1])> end
(config-ssl[myDevice])> end
(config[myDevice])> end
inxcfg>
Save the configuration to flash
memory. If it is not saved, the configuration is
lost during a power cycle or if the reload command
is used.
inxcfg> write flash myDevice
inxcfg>
Resources
Additional documents and technical
notes on SonicWALL SSL can be found online at
http://www.sonicwall.com/support/ssl_documentation.html
|
