Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SSL Cert for Sonicwall DPI-SSl

Posted on 2013-11-01
6
3,120 Views
Last Modified: 2013-11-05
What class ssl cert can i use on my sonicwalls?  I just need my end users to not receive warnings accessing https with dpi-ssl turned on.  i dont know anything about ssl certs other than what i have read in the last hour.  i guess i just need a class 1 to secure a network, not a domain.  so say 192.168.9.0.  in that case, can i just get a really cheap ssl cert like from Rapidssl or even a free one from say Startcom?

also i have like 20 sonicwalls all within the same organization so i guess i need to purchase a different cert for each one?
0
Comment
Question by:Grolff
  • 3
  • 3
6 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39618682
Pls see this guide - specifically on

a) Client DPI-SSI (LAN client to WAN services)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ClientSSL_Snwls.html

- see below such that if the cert is trusted by client browser thenthe "prompt" should not be displayed..as untrusted..but if it really comes out, client can click always trust this, the dialog prompt will not come out (one time only)

"Selecting the Re-Signing Certificate Authority"
"Adding Trust to the Browser"
"Creating PKCS-12 Formatted Certificate File"

In other words, if you use diff resigning cert then you need to make sure that is in the user trusted ca store else prompt will appear. There is no user cert per se

Doubt you are looking at (b) but for info...

b) Server DPI-SSI (remote WAN client to LAN servers)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ServerSSL_Snwls.html

- this case, you will use the private server keys to put into the Sonicwall. There is more details in the PDF. In short, each server's key need to be provision in that appliance guarding the path for the remote user to the server resources..

overall doc for (a) and (b)
@ http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-SSL_Feature_Module.pdf


Coming back to the certificate, good to see this

http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_System_Certificates_Snwls.html#1018510

pertaining to the class of cert, they are simply below. E.g. the sslhopper wizard helps in specific to web server authentication certificates...

http://www.sslshopper.com/ssl-certificate-wizard.html

- Class 1 (Domain validated, free): More for your domain name in the certificate (not your business or organization name), kind of like "self-signed". They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers/client.

- Class 2 (Identity validated): take a while longer as your identity is validated before issuing this cert. Thereafter, you can get as many certificates as you need for different domains and you can even get wildcard certificates. This also includes organization validated certificates.

There is a EVL cert with higher assurance as compared to above too. Probably as you see in the Sonicwall guide, even openssl suffice, best if for organisation outfacing have your own enterprise issued cert else go for class 2 on public organisation server (for customer assurance..). As long as it is x509v3 cert as baseline, the class just to give that extra assurance...(Class 1 can be susceptible though)

http://security.stackexchange.com/questions/18919/are-there-technical-disadvantages-in-using-free-ssl-certificates
0
 
LVL 1

Author Comment

by:Grolff
ID: 39621906
"if the cert is trusted by client browser then the "prompt" should not be displayed"

so what type of cert do i need to load into the sonicwall so my users don't get messages? and i don't have to load a cert into browsers on 300 computers?  if the browser see its  signed cert then it shouldn't throw an error, no?

i guess just a class 1 for the subnet my sonicwall is on, 192.168.9.0?
0
 
LVL 63

Expert Comment

by:btan
ID: 39622984
Prompt does not come up as long as the trust root cert is inside the sonicwall. You can see the trusted root cert thru the certmgr or in Internet Explorer go to: Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab. So just need to see which trusted root is defualt in client and go for such 3rd party cert ...
https://www.globalsign.com/support/servers/sonicwall.php

Actually class 1 should be fine for private subnet
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Grolff
ID: 39624134
i purchased a class 1 from godaddy for my private domain.  (domain.local)  godaddy will not issue for ip addresses.  also they told me as of november, 2015 no one will be doing them for ip addresses or private domains.

thank you for all your help.
0
 
LVL 1

Author Closing Comment

by:Grolff
ID: 39624138
Very thorough answers.  thank you.
0
 
LVL 63

Expert Comment

by:btan
ID: 39624217
thanks for sharing
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question