• No results found

Using Microsoft s CA Server with SonicWALL Devices

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Using Microsoft s CA Server with SonicWALL Devices"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

SonicOS Using Microsoft’s CA Server with SonicWALL Devices

Introduction

You can use the Certificate Server that ships with Windows 2000/2003 Server to create certificates for SonicWALL devices, as well as the SonicWALL Global VPN Client. The certs can be used as the authentication mechanism when creating VPN tunnels between SonicWALL devices, or between SonicWALL devices and SonicWALL Global VPN Clients. This technote will detail how to use the Microsoft Certificate Server (MS CA) to perform these actions. In order to use certificates from the MS CA servers, the SonicWALL device must have firmware 6.3.x.x or newer installed. If you wish to use MS CA-generated client certificates, you must use the new SonicWALL Global VPN Client.

Obtain a copy of the root certificate

Each SonicWALL device and all SonicWALL Global VPN Clients must have a copy of the MS CA’s “root certificate” installed before you begin. The root certificate is what the MS CA server uses to sign the certificates for your SonicWALL devices and the SonicWALL Global VPN Clients. When attempting to create a VPN tunnel using these certificates as the authentication mechanism, each side must be able to prove the identity and validity of each other’s cert. This is done by verifying that each other’s cert has been signed by a trusted third party – in this case, the MS CA.

(2)
(3)
(4)

Creating a Certificate Signing Request (CSR) on the SonicWALL device

The SonicWALL GUI for firmware 6.3.x.x and newer include keypair and CSR generation tools. To create a keypair and a CSR to process with your private CA, open the SonicWALL device GUI, click on the ‘VPN’ button, and select the ‘Local Certificates’ tab.

1. Fill out CSR form in SonicWALL device and click on ‘Generate’

For the most part, you can leave the drop-down boxes to their defaults and fill out each field as suggested by its corresponding drop-down box. An example is below:

In the ‘Country’ field, put the country code abbreviation instead of spelling out the name of the country. In the ‘State’ field, put the full name of the state instead of the abbreviation. In the ‘Common Name’ field, put the name for the SonicWALL device. For the ‘Subject Key Size’ drop-down box, we suggest a key size of ‘1024 bits’. If you do not fill out these fields correctly, your OpenSSL may reject the certificate request.

The optional ‘Subject Alternate Name’ field can be used to simplify VPN tunnel setup. Select “Domain Name” or “Email-ID” from the drop-down box and enter in the name or Email-ID of the SonicWALL device. This will allow you to identify peers with only their ‘Subject Alternative Name’ instead of having to paste in the full ‘Subject Distinguished Name’. Please note that you must use this alternative name as the peer ID if the peer’s local certificate shows one - you can’t use Subject Distinguished Name.

(5)

2. Submit the CSR to the MS CA

If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to submit the firewall’s CSR is via web browser. You can log into the MS CA server at ‘http://x.x.x.x/certsrv/’ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with the certificate services interface (see below).

(6)

Select the radio button next to ‘Advanced Request’ and click on the ‘Next>’ button:

Select the radio button next to ‘Submit a certificate request using a base64 encoded PKCS#10 file…’ and click on the ‘Next>’ button:

(7)

and paste them into this box. Or, depending on your browser security settings, you may be able to use the ‘Browse for a file to insert’ feature to directly import the CSR. When done, click on the ‘Submit>’ button.

If the MS CA server is set for manual approval, you'll get the following message:

“Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested.”

If you see this message, you’ll need to wait for the admin of the MS CA server to manually approve your certificate request. (Note -- if you’re the admin, simply log into the MS CA server with the ‘Certification Authority’ tool, navigate to the ‘Pending Requests’ folder, right-click on the certificate request, and select ‘Issue’).

(8)
(9)
(10)

How to create client keys and certs

The current 1.x version of the SonicWALL Global VPN Client does not have any mechanisms for creating a public/private keypair or a certificate signing request (CSR). In order to use third-party certificates with the SonicWALL Global VPN Client, you can use the MS CA to generate these items and then convert the private key and client certificate into PKCS#12 (.pfx) format before importing them.

If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to create the client’s keypair and certificate is via web browser. You can log into the MS CA server at ‘http://x.x.x.x/certsrv/’ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with the certificate services interface (see below).

(11)
(12)

form’ and then click on the ‘Next>’ button:

(13)

If the MS CA server is set for manual approval, you'll get the following message:

“Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested.”

If you see this message, you’ll need to wait for the admin of the MS CA server to manually approve your certificate request. (Note -- if you’re the admin, simply log into the MS CA server with the ‘Certification Authority’ tool, navigate to the ‘Pending Requests’ folder, right-click on the certificate request, and select ‘Issue’).

(14)

The next steps detail how you can retrieve the private key and client certificate from the web browser. As mentioned on the previous page, it was necessary to install the client certificate directly into the browser. This is because when you used the browser fill out the client request form, it actually created a public/private keypair, it actually created the keypair in the browser itself.

(15)
(16)

Select the radio button next to ‘Personal Information Exchange – ‘, check the box next to Include all certificates in the certification path if possible’, check the box next to ‘Enable strong protection’, and then click on the ‘Next’ key:

(17)

You will be prompted for a path to save the file. Enter a path and a name for the exported private key and client certificate, and then click on the ‘Next>’ button:

(18)

How to load the client key/cert and root cert into the Global VPN Client

Start the SonicWALL Global VPN Client. From the ‘View Menu’, select ‘Certificate Manager’. From the ‘File Menu’ of the Certificate Manager, then select ‘Import Certificate’. Navigate to where the root cert and client cert files are located and import them both; you will be prompted to enter the export passphrase created on page 15.

(19)

Prepared by SonicWALL, Inc. 04/18/2003

References

Download now ( PDF - 19 Page - 1.58 MB )

Related documents

Category Run Environment Using Certificate in IE Using Certificate in Mozilla Firefox Using Certificate in Outlook

Firstly, download CNIC GRID CA root certificate, after saving this file, in Mozilla Firefox, select Tool → Options → Advanced, click on the Examine Certificate button,

Lightweight Security using Identity-Based Encryption Guido Appenzeller

Send Public Key , Authenticate Receive Certificate CA Signing Key Certification Authority CA Public Key Certificate Server Store Certificate Look up Bob’s Certificate ,

Exchange Reporter Plus SSL Configuration Guide

Request for certificate from Microsoft Certificate Services (internal CA): The .csr file created is submitted to the certifying authority to receive a CA-singed certificate

Migrating Mobile Security for Enterprise (TMMS) 8.0 to version 9.0

Click Certification Path tab; select the CA certificate (used by iOS devices) then click View Certificate.. Go to Details tab then click Copy to File…. Export the certificate

Axway Validation Authority. nshield HSM Integration Guide

On the Import Certificate File page, select Choose File, and select the root CA certificate you want the VA server to provide OCSP responses for. Then select Submit

Request Server Certificate From Ca

Explorer IE and the the address of your CA followed by certsrv eg httpcacertsrv in the Address bar IE will shout the Microsoft Certificate Services Web page To handicap a

ncipher modules Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services Windows Server bit and 64-bit

Integration Guide for Microsoft Windows Server 2008 Active Directory Certificate Services 13 j.. Select the existing CA key in Select the key that you want to use for this CA (on

Web Security School Entrance Exam

Create a public-key pair in IIS to submit to a Certificate Authority (CA) when you request a certificate. Request a server certificate from the CA. Sign for the certificate when