SSL Cert for Sonicwall DPI-SSl

What class ssl cert can i use on my sonicwalls?  I just need my end users to not receive warnings accessing https with dpi-ssl turned on.  i dont know anything about ssl certs other than what i have read in the last hour.  i guess i just need a class 1 to secure a network, not a domain.  so say 192.168.9.0.  in that case, can i just get a really cheap ssl cert like from Rapidssl or even a free one from say Startcom?

also i have like 20 sonicwalls all within the same organization so i guess i need to purchase a different cert for each one?
LVL 1
GrolffAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Pls see this guide - specifically on

a) Client DPI-SSI (LAN client to WAN services)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ClientSSL_Snwls.html

- see below such that if the cert is trusted by client browser thenthe "prompt" should not be displayed..as untrusted..but if it really comes out, client can click always trust this, the dialog prompt will not come out (one time only)

"Selecting the Re-Signing Certificate Authority"
"Adding Trust to the Browser"
"Creating PKCS-12 Formatted Certificate File"

In other words, if you use diff resigning cert then you need to make sure that is in the user trusted ca store else prompt will appear. There is no user cert per se

Doubt you are looking at (b) but for info...

b) Server DPI-SSI (remote WAN client to LAN servers)
@ http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_DPI-SSL_ServerSSL_Snwls.html

- this case, you will use the private server keys to put into the Sonicwall. There is more details in the PDF. In short, each server's key need to be provision in that appliance guarding the path for the remote user to the server resources..

overall doc for (a) and (b)
@ http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.6_DPI-SSL_Feature_Module.pdf


Coming back to the certificate, good to see this

http://help.mysonicwall.com/sw/eng/7630/ui2/70/Policies_System_Certificates_Snwls.html#1018510

pertaining to the class of cert, they are simply below. E.g. the sslhopper wizard helps in specific to web server authentication certificates...

http://www.sslshopper.com/ssl-certificate-wizard.html

- Class 1 (Domain validated, free): More for your domain name in the certificate (not your business or organization name), kind of like "self-signed". They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers/client.

- Class 2 (Identity validated): take a while longer as your identity is validated before issuing this cert. Thereafter, you can get as many certificates as you need for different domains and you can even get wildcard certificates. This also includes organization validated certificates.

There is a EVL cert with higher assurance as compared to above too. Probably as you see in the Sonicwall guide, even openssl suffice, best if for organisation outfacing have your own enterprise issued cert else go for class 2 on public organisation server (for customer assurance..). As long as it is x509v3 cert as baseline, the class just to give that extra assurance...(Class 1 can be susceptible though)

http://security.stackexchange.com/questions/18919/are-there-technical-disadvantages-in-using-free-ssl-certificates
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GrolffAuthor Commented:
"if the cert is trusted by client browser then the "prompt" should not be displayed"

so what type of cert do i need to load into the sonicwall so my users don't get messages? and i don't have to load a cert into browsers on 300 computers?  if the browser see its  signed cert then it shouldn't throw an error, no?

i guess just a class 1 for the subnet my sonicwall is on, 192.168.9.0?
0
btanExec ConsultantCommented:
Prompt does not come up as long as the trust root cert is inside the sonicwall. You can see the trusted root cert thru the certmgr or in Internet Explorer go to: Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab. So just need to see which trusted root is defualt in client and go for such 3rd party cert ...
https://www.globalsign.com/support/servers/sonicwall.php

Actually class 1 should be fine for private subnet
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

GrolffAuthor Commented:
i purchased a class 1 from godaddy for my private domain.  (domain.local)  godaddy will not issue for ip addresses.  also they told me as of november, 2015 no one will be doing them for ip addresses or private domains.

thank you for all your help.
0
GrolffAuthor Commented:
Very thorough answers.  thank you.
0
btanExec ConsultantCommented:
thanks for sharing
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.