?
Solved

SSL Cert for Sonicwall DPI-SSl

Posted on 2013-11-01
6
Medium Priority
?
3,351 Views
Last Modified: 2013-11-05
What class ssl cert can i use on my sonicwalls?  I just need my end users to not receive warnings accessing https with dpi-ssl turned on.  i dont know anything about ssl certs other than what i have read in the last hour.  i guess i just need a class 1 to secure a network, not a domain.  so say 192.168.9.0.  in that case, can i just get a really cheap ssl cert like from Rapidssl or even a free one from say Startcom?

also i have like 20 sonicwalls all within the same organization so i guess i need to purchase a different cert for each one?
0
Comment
Question by:Grolff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 39618682
Pls see this guide - specifically on

a) Client DPI-SSI (LAN client to WAN services)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ClientSSL_Snwls.html

- see below such that if the cert is trusted by client browser thenthe "prompt" should not be displayed..as untrusted..but if it really comes out, client can click always trust this, the dialog prompt will not come out (one time only)

"Selecting the Re-Signing Certificate Authority"
"Adding Trust to the Browser"
"Creating PKCS-12 Formatted Certificate File"

In other words, if you use diff resigning cert then you need to make sure that is in the user trusted ca store else prompt will appear. There is no user cert per se

Doubt you are looking at (b) but for info...

b) Server DPI-SSI (remote WAN client to LAN servers)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ServerSSL_Snwls.html

- this case, you will use the private server keys to put into the Sonicwall. There is more details in the PDF. In short, each server's key need to be provision in that appliance guarding the path for the remote user to the server resources..

overall doc for (a) and (b)
@ http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-SSL_Feature_Module.pdf


Coming back to the certificate, good to see this

http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_System_Certificates_Snwls.html#1018510

pertaining to the class of cert, they are simply below. E.g. the sslhopper wizard helps in specific to web server authentication certificates...

http://www.sslshopper.com/ssl-certificate-wizard.html

- Class 1 (Domain validated, free): More for your domain name in the certificate (not your business or organization name), kind of like "self-signed". They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers/client.

- Class 2 (Identity validated): take a while longer as your identity is validated before issuing this cert. Thereafter, you can get as many certificates as you need for different domains and you can even get wildcard certificates. This also includes organization validated certificates.

There is a EVL cert with higher assurance as compared to above too. Probably as you see in the Sonicwall guide, even openssl suffice, best if for organisation outfacing have your own enterprise issued cert else go for class 2 on public organisation server (for customer assurance..). As long as it is x509v3 cert as baseline, the class just to give that extra assurance...(Class 1 can be susceptible though)

http://security.stackexchange.com/questions/18919/are-there-technical-disadvantages-in-using-free-ssl-certificates
0
 
LVL 1

Author Comment

by:Grolff
ID: 39621906
"if the cert is trusted by client browser then the "prompt" should not be displayed"

so what type of cert do i need to load into the sonicwall so my users don't get messages? and i don't have to load a cert into browsers on 300 computers?  if the browser see its  signed cert then it shouldn't throw an error, no?

i guess just a class 1 for the subnet my sonicwall is on, 192.168.9.0?
0
 
LVL 64

Expert Comment

by:btan
ID: 39622984
Prompt does not come up as long as the trust root cert is inside the sonicwall. You can see the trusted root cert thru the certmgr or in Internet Explorer go to: Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab. So just need to see which trusted root is defualt in client and go for such 3rd party cert ...
https://www.globalsign.com/support/servers/sonicwall.php

Actually class 1 should be fine for private subnet
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 1

Author Comment

by:Grolff
ID: 39624134
i purchased a class 1 from godaddy for my private domain.  (domain.local)  godaddy will not issue for ip addresses.  also they told me as of november, 2015 no one will be doing them for ip addresses or private domains.

thank you for all your help.
0
 
LVL 1

Author Closing Comment

by:Grolff
ID: 39624138
Very thorough answers.  thank you.
0
 
LVL 64

Expert Comment

by:btan
ID: 39624217
thanks for sharing
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question