Installing an SSL certificate in the SonicWALL SSL Offloader

Part one: Download and save your certificates

1. Open the email we sent you, that contains the certificate for your domain name.

2. Copy the certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

3. Paste the certificate into a blank document in a text editor. Use an editor that will not add characters, such as TextPad.

4. Save the document. We recommend that you name it YourDomainName.crt and save it in your Web server's default directory for SSL certificates.

   We recommend that you also back up your certificate on another computer or storage device.

5. Confirm which certificate you purchased, and determine which chain file to download.

   To confirm which certificate you purchased, review your order confirmation.

   • If you purchased SBS Instant, download chain A below.

   • If you purchased SBS Secure or Secure Plus, download chain B below.

   A -- SBS Instant

   • Instant Validation Certificate Chain
   
   

   -OR-

   B -- SBS Secure and Secure Plus with a "Valid from" date Nov 9, 2006 or later

   • Full Validation Certificate Chain

6. Download the certificate chain. To download, right-click each certificate file name and select Save Target As.

   Save the certificate chain to the same directory where you saved the certificate for your domain name.

Part two: Install your certificates

In order for visitors' browsers to recognize your certificate as authentic and trustworthy, you must install it with the certificate chain that ties it to its issuing Certification Authority.

All SonicWALL SSL Offloaders support certificate chains. The certificate are imported using the certificate chain commands.

To install using OpenSSL

1. Launch openssl.exe. This application was installed at the same time and in the same location as the SonicWALL configuration manager. You can also run the install and just install OpenSSL by choosing the Custom Installation option.
2. Open the certificate for your domain name and the certificate chain in a text editor.
3. Save the certificates with .pem extensions. For example, YourDomainName.pem.

4. Verify the certificate information with openssl:

   x509 -in C:\Path\YourDomainName.pem -text
   (and)
   x509 -in C:\Path\CertChain.pem -text

To set up the Chained Certificates

Now that you have the proper certificates, load the certificates into certificate objects.

These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain.

In the example, the name of the Transaction Security device is myDevice. The name of the secure logical server is server1. The name of the PEM-encoded certificate for your domain name is YourDomain.pem; the name of the PEM-encoded certificate chain is CertChain.pem. The names of the recognized and local certificate objects are trustedCert and myCert, respectively. The name of the certificate group is CACertGroup.

1. Start the configuration manager as described in the manual.

2. Attach the configuration manager and enter Configuration mode. (If an attach or configurationlevel password is assigned to the device, you are prompted to enter any passwords.)

   inxcfg> attach myDevice
   inxcfg> configure myDevice
   (config[myDevice])>

3. Enter SSL Configuration mode and create an Intermediate certificate named CACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSL Configuration mode.

   (config[myDevice])> ssl
   (config-ssl[myDevice])> cert myCert create
   (config-ssl-cert[CACert])> pem CertChain.pem
   (config-ssl-cert[CACert])> end
   (config-ssl[myDevice])>

4. Enter Key Association Configuration mode, load the PEM-encoded CA certificate and private key files, and return to SSL Configuration mode.

   (config-ssl[myDevice])> keyassoc localKeyAssoc create
   (config-ssl-keyassoc[localKeyAssoc])> pem YourDomain.pem key.pem
   (config-ssl-keyassoc[localKeyAssoc])> end
   (config-ssl[myDevice])>

5. Enter Certificate Group Configuration mode, create the certificate group CACertGroup, load the certificate object CACert, and return to SSL Configuration mode.

   (config-ssl[myDevice])> certgroup CACertGroup create
   (config-ssl-certgroup[CACertGroup])> cert myCert
   (config-ssl-certgroup[CACertGroup])> end
   (config-ssl[myDevice])>

6. Enter Server Configuration mode, create the logical secure server server1, assign an IP address, SSL and clear text ports, a security policy myPol, the certificate group CACertGroup, key association localKeyAssoc, and exit to Top Level mode.

   (config-ssl[myDevice])> server server1 create
   (config-ssl-server[server1])> ip address 10.1.2.4 netmask 255.255.0.0
   (config-ssl-server[server1])> sslport 443
   (config-ssl-server[server1])> remoteport 81
   (config-ssl-server[server1])> secpolicy myPol
   (config-ssl-server[server1])> certgroup chain CACertGroup
   (config-ssl-server[server1])> keyassoc localKeyAssoc
   (config-ssl-server[server1])> end
   (config-ssl[myDevice])> end
   (config[myDevice])> end
   inxcfg>

7. Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used.

   inxcfg> write flash myDevice
   inxcfg>

Resources

Additional documents and technical notes on SonicWALL SSL can be found online at http://www.sonicwall.com/support/ssl_documentation.html