| Chained
Certificates
All SonicWALL SSL Offloaders support chained
certificates. Once the certificates are unzipped into multiple
certificates prior to importing into the SonicWALL SSL Offloader,
the certificate will need to be imported using the chained
certificate commands. The certificates will have a root certificate,
and an intermediate certificate in addition to the CA server
certificate.
EXAMPLE - Instructions for using
OpenSSL
Now that you have received the certificate,
you will need to unzip the certificates up into the root,
intermediate and the server certificates so that you can enter
them into the SonicWALL SSL Offloader.
Start by unzipping the 3 certificates, you
will only need the ComodoSecurityServicesCA.crt and domain.crt
certificates.
Launch openssl.exe. This application was
installed at the same time and in the same location as the
SonicWALL configuration manager. You can also run the install
and just install OpenSSL by choosing the 'Custom Installation'
option.
Once launched, open the ComodoSecurityServicesCA.crt
and domain.crt certificates in a text editor
You will need to copy and paste the entire
text including
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
The domain.crt certificate is the server
certificate.
The ComodoSecurityServicesCA.crt is the intermediary certificate.
Save these files (e.g. C:\server.pem and
C:\inter.pem)
Verify the certificate information with
openssl:
x509 -in C:\server.pem -text
(and)
x509 -in :C\inter.pem -text
EXAMPLE - Setting Up the Chained Certificates
Now that you have the proper certificates,
you start by loading the certificates into certificate objects.
These separate certificate objects are then loaded into a
certificate group. This example demonstrates how to load two
certificates into individual certificate objects, create a
certificate group, and enable the use of the group as a certificate
chain. The name of the Transaction Security device is myDevice.
The name of the secure logical server is server1. The name
of the PEM-encoded, CA generated certificate is server.pem;
the name of the PEM-encoded certificate is inter.pem. The
names of the recognized and local certificate objects are
trustedCert and myCert, respectively. The name of the certificate
group is CACertGroup.
Start the configuration manager as described
in the manual.
Attach the configuration manager and enter
Configuration mode. (If an attach or configurationlevel password
is assigned to the device, you are prompted to enter any passwords.)
inxcfg> attach myDevice
inxcfg> configure myDevice
(config[myDevice])>
Enter SSL Configuration mode and create
an intermediary certificate named CACert, entering into Certificate
Configuration mode. Load the PEM-encoded file into the certificate
object, and return to SSL Configuration mode. (config[myDevice])>
ssl
(config-ssl[myDevice])> cert myCert create
(config-ssl-cert[CACert])> pem inter.pem
(config-ssl-cert[CACert])> end
(config-ssl[myDevice])>
Enter Key Association Configuration mode,
load the PEM-encoded CA certificate and private key files,
and return to SSL Configuration mode.
(config-ssl[myDevice])> keyassoc localKeyAssoc create
(config-ssl-keyassoc[localKeyAssoc])> pem server.pem key.pem
(config-ssl-keyassoc[localKeyAssoc])> end
(config-ssl[myDevice])>
Enter Certificate Group Configuration mode,
create the certificate group CACertGroup, load the certificate
object CACert, and return to SSL Configuration mode.
(config-ssl[myDevice])> certgroup CACertGroup create
(config-ssl-certgroup[CACertGroup])> cert myCert
(config-ssl-certgroup[CACertGroup])> end
(config-ssl[myDevice])>
Enter Server Configuration mode, create
the logical secure server server1,assign an IP address, SSL
and clear text ports, a security policy myPol, the certificate
group CACertGroup, key association localKeyAssoc, and exit
to Top Level mode. (config-ssl[myDevice])> server server1
create
(config-ssl-server[server1])> ip address 10.1.2.4 netmask
255.255.0.0
(config-ssl-server[server1])> sslport 443
(config-ssl-server[server1])> remoteport 81
(config-ssl-server[server1])> secpolicy myPol
(config-ssl-server[server1])> certgroup chain CACertGroup
(config-ssl-server[server1])> keyassoc localKeyAssoc
(config-ssl-server[server1])> end
(config-ssl[myDevice])> end
(config[myDevice])> end
inxcfg>
Save the configuration to flash memory.
If it is not saved, the configuration is lost during a power
cycle or if the reload command is used.
inxcfg> write flash myDevice
inxcfg>
|
