How can I obtain a Certificate from a Windows Certificate Authority (CA)? | SonicWall (2024)

12/11/2023 798 People found this article helpful 540,147 Views

Description

• Microsoft Windows Active Directory Services installed and configured.
• Microsoft Certificate Services installed and configured.
• Microsoft Internet Information Services (IIS) 7.0 installed and configure.

Deployment Steps

1. Exporting the CA Certificate from the Active Directory Server.
2. Importing the CA Certificate onto the SonicWall.
3. Creating a New Signing Request in SonicWall Appliance.
4. Requesting certificate for the new signing Request by the MS Certificate Authority.
5. Validating the Certificate on the SonicWall Appliance.
6. How to Test

Resolution

Exporting the Root CA Certificate from the Active Directory (AD) Server

1. In the AD server, launch the Certificate Authority application by Start |Run|certsrv.msc.
2. Right click the CA you created and select Properties.
3. On the General tab, clickView Certificate button.
4. On the Details tab, select Copy to File.
5. Follow through the wizard, and select the DER Encoded binary X.509 (.cer) format.
6. Click browse and specify a path and filename to save the certificate.
7. ClickNext button and clickFinish.
   
   
   
   
   

Importing the CA Certificate onto the SonicWall

1. Click Manage in the top navigation menu.
2. Navigate to Appliance | Certificates.
   
3. ClickImport. Select the certificate file you just exported.
   
4. Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file,
5. ClickBrowse and Select the certificate file you just exported from the MS Certificate Authority.
6. Once the root certificate is selected, Clickimport button.
   
   
7. Once the CA root certificate is imported, it will be listed under the Appliance | Certificatespage with type as CA Certificate.

   TIP: This page can be filtered to easily locate this certificate by changing theView Style to Imported certificates and requests.

   
   

Creating a Certificate Signing Request (CSR) in SonicWall Appliance

1. Navigate toAppliance | Certificates page and clickNew Signing Request.
2. Fill out the CSR form in SonicWall device and clickGenerate. For the most part, you can leave the drop-down boxes to their defaults and fill out each field as suggested by its corresponding drop-down box.
   
3. The Appliance | Certificates page will refresh and your new certificate will appear with a type ofPending Request.
   

   NOTE: You may need to refresh the page for this status to appear.

   
   
4. ClickExport button. In the new Pop-up window, click Export and save the file locally on your device for later import to the Windows Server.
   

Requesting a certificate for the CSR from the MS Certificate Authority

TIP: If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to submit the firewall s CSR is via web browser.

1. Open a browser and enter http://x.x.x.x/certsrv/ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with the certificate services interface (see below).
2. Select the task Request a Certificate.
   
3. Clickadvanced certificate request.
   
4. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
   
5. Copy and paste the contents of the CSR in the Saved Request box.
6. Select Web Server under Certificate Template.
   
7. Select DER encoded and clickDownload Certificate. Save the file to your local system using whatever name you wish this file will be imported into SonicWall appliance.
   
   

Validating the Certificate on the SonicWall Appliance

1. Navigate toSystem|Certificates page.
2. ClickUpload Signed certificate for the certificate that has type Pending request.
   
   
3. Browse for the downloaded file from the CA and clickUpload.
   
   
   
4. Once the certificate has been uploaded, the certificate will show typeas Local Certificate and Validated as YES.
   
   

How to Test

Now that a signed certificate has been imported into the SonicWall, it can be used for HTTPS management of SonicWall interfaces as well as for SSL-VPN. To set the imported certificate as the management certificate, perform the following steps

1. Navigate toAppliance | Base Settings.
2. Under the Web Management Settings section, select the imported certificate under Certificate Selection.
3. ClickAccept to save the changes.
   
4. When logging into the SonicWall after importing the signed certificate you may receive the following browser errors:
   
   CAUTION:
   "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certifying authority".
   You get this error because the issuing CA certificate is not in the certificate store of the browser. To resolve it, install the certificate in the certificate store of the browser.
   "The name on the security certificate is invalid or does not match the name of the site".
   You get this error because you are accessing the site using a different name from the certificate Common Name (CN) you entered when creating the Certificate Signing Request (CSR). In the above example the SonicWall is being accessed using an IP address although the CN in the certificate is SonicWall.local (see above) : You have two options to overcome this error:

• When creating the CSR enter the CN as 192.168.168.168.
• Map the IP address of the SonicWall to the CN.

Related Articles

• NSv upgrade from 7.0.1 to 7.1.X
• Netextender failing to connect with error "Initializing engine…failed"
• High Availability setup not working - Error Contacting Peer HA Firewall

Categories

• Firewalls > SonicWall SuperMassive 9000 Series > System
• Firewalls > TZ Series > System
• Firewalls > NSa Series > System
• Firewalls > NSv Series > System

Was This Article Helpful?

YESNO