[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

SSL Cert for Sonicwall DPI-SSl

Posted on 2013-11-01
6
Medium Priority
?
3,449 Views
Last Modified: 2013-11-05
What class ssl cert can i use on my sonicwalls?  I just need my end users to not receive warnings accessing https with dpi-ssl turned on.  i dont know anything about ssl certs other than what i have read in the last hour.  i guess i just need a class 1 to secure a network, not a domain.  so say 192.168.9.0.  in that case, can i just get a really cheap ssl cert like from Rapidssl or even a free one from say Startcom?

also i have like 20 sonicwalls all within the same organization so i guess i need to purchase a different cert for each one?
0
Comment
Question by:Grolff
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39618682
Pls see this guide - specifically on

a) Client DPI-SSI (LAN client to WAN services)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ClientSSL_Snwls.html

- see below such that if the cert is trusted by client browser thenthe "prompt" should not be displayed..as untrusted..but if it really comes out, client can click always trust this, the dialog prompt will not come out (one time only)

"Selecting the Re-Signing Certificate Authority"
"Adding Trust to the Browser"
"Creating PKCS-12 Formatted Certificate File"

In other words, if you use diff resigning cert then you need to make sure that is in the user trusted ca store else prompt will appear. There is no user cert per se

Doubt you are looking at (b) but for info...

b) Server DPI-SSI (remote WAN client to LAN servers)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ServerSSL_Snwls.html

- this case, you will use the private server keys to put into the Sonicwall. There is more details in the PDF. In short, each server's key need to be provision in that appliance guarding the path for the remote user to the server resources..

overall doc for (a) and (b)
@ http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-SSL_Feature_Module.pdf


Coming back to the certificate, good to see this

http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_System_Certificates_Snwls.html#1018510

pertaining to the class of cert, they are simply below. E.g. the sslhopper wizard helps in specific to web server authentication certificates...

http://www.sslshopper.com/ssl-certificate-wizard.html

- Class 1 (Domain validated, free): More for your domain name in the certificate (not your business or organization name), kind of like "self-signed". They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers/client.

- Class 2 (Identity validated): take a while longer as your identity is validated before issuing this cert. Thereafter, you can get as many certificates as you need for different domains and you can even get wildcard certificates. This also includes organization validated certificates.

There is a EVL cert with higher assurance as compared to above too. Probably as you see in the Sonicwall guide, even openssl suffice, best if for organisation outfacing have your own enterprise issued cert else go for class 2 on public organisation server (for customer assurance..). As long as it is x509v3 cert as baseline, the class just to give that extra assurance...(Class 1 can be susceptible though)

http://security.stackexchange.com/questions/18919/are-there-technical-disadvantages-in-using-free-ssl-certificates
0
 
LVL 1

Author Comment

by:Grolff
ID: 39621906
"if the cert is trusted by client browser then the "prompt" should not be displayed"

so what type of cert do i need to load into the sonicwall so my users don't get messages? and i don't have to load a cert into browsers on 300 computers?  if the browser see its  signed cert then it shouldn't throw an error, no?

i guess just a class 1 for the subnet my sonicwall is on, 192.168.9.0?
0
 
LVL 65

Expert Comment

by:btan
ID: 39622984
Prompt does not come up as long as the trust root cert is inside the sonicwall. You can see the trusted root cert thru the certmgr or in Internet Explorer go to: Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab. So just need to see which trusted root is defualt in client and go for such 3rd party cert ...
https://www.globalsign.com/support/servers/sonicwall.php

Actually class 1 should be fine for private subnet
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 1

Author Comment

by:Grolff
ID: 39624134
i purchased a class 1 from godaddy for my private domain.  (domain.local)  godaddy will not issue for ip addresses.  also they told me as of november, 2015 no one will be doing them for ip addresses or private domains.

thank you for all your help.
0
 
LVL 1

Author Closing Comment

by:Grolff
ID: 39624138
Very thorough answers.  thank you.
0
 
LVL 65

Expert Comment

by:btan
ID: 39624217
thanks for sharing
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question