Solved

Sonicwall HTTPS Certificate

Posted on 2013-12-11
4
8,327 Views
Last Modified: 2013-12-11
Have received this report upon authorized scanning of  host for PCI compliance test. We have Sonicwall firewall NSA2400 with up to date firmware. It is saying we need to update the HTTPS certificate issued by Sonicwall to get the SHA-1 signature algorithm for security hash function. How is this done?
0
Comment
Question by:cebu1014
  • 2
4 Comments
 
LVL 17

Expert Comment

by:TimotiSt
ID: 39711916
Most network devices come with pre-installed (and fairly useless for actual security).
You can get certificates from SSL vendors (cheap example is godaddy.com), and install it in your device. Make sure to request the certificate for the name you'll actually use (www.something.com, vpn.somethingelse.com, etc.).

Tamas
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39712166
Hi cebu1014,

Here is a step-by-step on how to setup your SSL Cert on the SonicWALL.

NOTE: SonicOS firmwares until 5.9.0.0 support only MD5 and SHA1 certificates. SonicOS 5.9.0.0 and above support SHA1, SHA256 & SHA512. Your SonicWALL's latest SonicOS release is SonicOS 5.9.0.2.107o, and I would recommend upgrading to that if you haven't already.

In order for a device certificate to be validated, the CA (Certificate Authority) certificate should be installed on the SonicWALL device. Some third party public CA may have a subordinate CA which issues certificates to the end uses. To validate the device certificate the certificate chain needs to be installed, see (Screenshot 1)Certificate Path | Screenshot 1Procedure to install the GoDaddy Certificate in SonicWALL device:
The below steps are common for any other Public CA also, not only for GoDaddy.
 
NOTE: Before assigning the imported certificate to the SonicWALL web administration; backup of current settings from the System > Settings > Export Settings button.

1. Option 1: Generate a CSR (Certificate Signing Request) from the SonicWALL device

Prior to generating a CSR from the SonicWALL device, you need to install the Root CA and intermediate CA certificate from GoDaddy web site.

1. Access the https://certs.godaddy.com/anonymous/repository.seam and download/install the gd-class2-root.crt & gd_intermediate.crt Or gd_bundle.crt certificates to the SonicWALL device.
2. Generate a CSR from the SonicWALL device. Logon to the SonicWALL device as admin.
3. Go to System > Certificates > Select the "Imported Certificates" button.
4. Click in "New Signing Request" button.
5. A new CSR window will open up, fill in the details and hit the ‘Generate’ button.
6. On the main window, it’ll show you the status of the CSR as "Pending Request".
7. Click on the download button for that CSR.
8. Download and save it to the computer, it’s a .p10 file.
9. Submit this file to the GoDaddy CA and get the certificate signed as Web server ‘Apache’.
10. After getting a signed certificate, you can import the same certificate to the ‘Pending Request’ import button.
11. In presence of Root CA and intermediate CA certificate, the SonicWALL device should show this certificate as ‘Local’, and ‘Validated’.

2. Option 2: Import a pfx1 format certificate to the SonicWALL device

For this method also you need to first install the Root CA and Intermediate CA certificate from GoDaddy web site.

1. You can generate a CSR from any other web server or a network device and import it in pfx format (including the Private Key associated with that certificate).
2. Go to System > Certificates > Select the "Imported Certificates" button.
3. Click on "Import" button.
4. Supply a name to the certificate (this is just for local identification), certificate password, and the path where the certificate to be imported from.
5. Hit the ‘Import’ button.
6. In presence of Root CA and intermediate CA certificate, the SonicWALL device should show this certificate as ‘Local’, and ‘Validated’.

Assigning the imported certificate to the SonicWALL web administration:

1. Export the existing settings from System > Settings page (click on the "Export settings" button).
2. Go to System > Administration > Web Management Settings > under Certificate Selection, select the recently imported certificate and hit the Apply/Accept button on the top.
3. Logout from the web administration, close the browser window and login back to check the certificate error.
4. Sometimes you may need to restart the SonicWALL device.
Let me know if you have any questions!
0
 

Author Comment

by:cebu1014
ID: 39713332
Great information. Thank you.
We are using 5.8,xxx version of firmware. To be PCI compliant we need to use SHA-1 not MD5 for the cryptographic hash function.
 If updating to 5.9 and above, is all that we need to eliminate the MD5 from being used, then I will update and it is an easier step to see if it is a resolution to the problem.
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39713357
Terrific. Glad I could help and thanks for the points!
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question