Solved

SSL Cert for Sonicwall DPI-SSl

Posted on 2013-11-01
6
3,091 Views
Last Modified: 2013-11-05
What class ssl cert can i use on my sonicwalls?  I just need my end users to not receive warnings accessing https with dpi-ssl turned on.  i dont know anything about ssl certs other than what i have read in the last hour.  i guess i just need a class 1 to secure a network, not a domain.  so say 192.168.9.0.  in that case, can i just get a really cheap ssl cert like from Rapidssl or even a free one from say Startcom?

also i have like 20 sonicwalls all within the same organization so i guess i need to purchase a different cert for each one?
0
Comment
Question by:Grolff
  • 3
  • 3
6 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39618682
Pls see this guide - specifically on

a) Client DPI-SSI (LAN client to WAN services)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ClientSSL_Snwls.html

- see below such that if the cert is trusted by client browser thenthe "prompt" should not be displayed..as untrusted..but if it really comes out, client can click always trust this, the dialog prompt will not come out (one time only)

"Selecting the Re-Signing Certificate Authority"
"Adding Trust to the Browser"
"Creating PKCS-12 Formatted Certificate File"

In other words, if you use diff resigning cert then you need to make sure that is in the user trusted ca store else prompt will appear. There is no user cert per se

Doubt you are looking at (b) but for info...

b) Server DPI-SSI (remote WAN client to LAN servers)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ServerSSL_Snwls.html

- this case, you will use the private server keys to put into the Sonicwall. There is more details in the PDF. In short, each server's key need to be provision in that appliance guarding the path for the remote user to the server resources..

overall doc for (a) and (b)
@ http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-SSL_Feature_Module.pdf


Coming back to the certificate, good to see this

http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_System_Certificates_Snwls.html#1018510

pertaining to the class of cert, they are simply below. E.g. the sslhopper wizard helps in specific to web server authentication certificates...

http://www.sslshopper.com/ssl-certificate-wizard.html

- Class 1 (Domain validated, free): More for your domain name in the certificate (not your business or organization name), kind of like "self-signed". They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers/client.

- Class 2 (Identity validated): take a while longer as your identity is validated before issuing this cert. Thereafter, you can get as many certificates as you need for different domains and you can even get wildcard certificates. This also includes organization validated certificates.

There is a EVL cert with higher assurance as compared to above too. Probably as you see in the Sonicwall guide, even openssl suffice, best if for organisation outfacing have your own enterprise issued cert else go for class 2 on public organisation server (for customer assurance..). As long as it is x509v3 cert as baseline, the class just to give that extra assurance...(Class 1 can be susceptible though)

http://security.stackexchange.com/questions/18919/are-there-technical-disadvantages-in-using-free-ssl-certificates
0
 
LVL 1

Author Comment

by:Grolff
ID: 39621906
"if the cert is trusted by client browser then the "prompt" should not be displayed"

so what type of cert do i need to load into the sonicwall so my users don't get messages? and i don't have to load a cert into browsers on 300 computers?  if the browser see its  signed cert then it shouldn't throw an error, no?

i guess just a class 1 for the subnet my sonicwall is on, 192.168.9.0?
0
 
LVL 62

Expert Comment

by:btan
ID: 39622984
Prompt does not come up as long as the trust root cert is inside the sonicwall. You can see the trusted root cert thru the certmgr or in Internet Explorer go to: Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab. So just need to see which trusted root is defualt in client and go for such 3rd party cert ...
https://www.globalsign.com/support/servers/sonicwall.php

Actually class 1 should be fine for private subnet
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:Grolff
ID: 39624134
i purchased a class 1 from godaddy for my private domain.  (domain.local)  godaddy will not issue for ip addresses.  also they told me as of november, 2015 no one will be doing them for ip addresses or private domains.

thank you for all your help.
0
 
LVL 1

Author Closing Comment

by:Grolff
ID: 39624138
Very thorough answers.  thank you.
0
 
LVL 62

Expert Comment

by:btan
ID: 39624217
thanks for sharing
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question