You are here : Comodo SSL Home > Support
SSL Support Home
- Browser Compatibility
- Free Security Guides
- EPKI Support
- Email Certificate Support
- CVC enabled Site Seal Support
- FAQs & Solutions
SSL Application Stages:
- 1. Buy a Certificate now
- 2. Creating a CSR
- 3. Doc Requirements
- 4. Installing a Certificate
- 5. Display Site Seal
TrustLogo
Importing a Server Certificate and Chain into the SonicWALL SSL Offloader
Chained Certificates
All SonicWALL SSL Offloaders support chained certificates. Once the certificates are unzipped into multiple certificates prior to importing into the SonicWALL, the certificate will need to be imported using the chained certificate commands. The certificates will have a root certificate, and an intermediate CA certificate in addition to the server/domain certificate.
EXAMPLE - Instructions for using OpenSSL
Now that you have received the certificate, unzip the certificates into the root, intermediate and the server certificates so that you can enter them into the SonicWALL SSL Offloader.
Start by unzipping the three certificates For this you will only need the Intermediate CA file and your Site/Domain certificates.
Launch openssl.exe. This application was installed at the same time and in the same location as the SonicWALL configuration manager. You can also run the install and install OpenSSL by choosing the 'Custom Installation' option.
Once launched, open the Intermediate CA file and Site/Domain certificates in a text editor
Copy and paste the entire text including
-----BEGIN
CERTIFICATE-----
and
-----END CERTIFICATE-----
The
Site/Domain certificate is the server certificate.
The
intermediate CA file is the intermediary certificate.
Save these files (e.g. C:\server.pem and C:\inter.pem)
Verify
the certificate information with openssl:
x509 -in C:\server.pem
-text
(and)
x509 -in :C\inter.pem -text
EXAMPLE - Setting Up the Chained Certificates
Now that you have the proper certificates, you start by loading the certificates into certificate objects. These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain. The name of the Transaction Security device is myDevice. The name of the secure logical server is server1. The name of the PEM-encoded, CA generated certificate is server.pem; the name of the PEM-encoded certificate is inter.pem. The names of the recognized and local certificate objects are trustedCert and myCert, respectively. The name of the certificate group is CACertGroup.
Start the configuration manager as described in the manual.
Attach
the configuration manager and enter Configuration mode. (If an attach
or configurationlevel password is assigned to the device, you are
prompted to enter any passwords.)
inxcfg> attach
myDevice
inxcfg> configure myDevice
(config[myDevice])>
Enter
SSL Configuration mode and create an intermediary certificate named
CACert, entering into Certificate Configuration mode. Load the
PEM-encoded file into the certificate object, and return to SSL
Configuration mode. (config[myDevice])>
ssl
(config-ssl[myDevice])> cert myCert
create
(config-ssl-cert[CACert])> pem
inter.pem
(config-ssl-cert[CACert])>
end
(config-ssl[myDevice])>
Enter
Key Association Configuration mode, load the PEM-encoded CA
certificate and private key files, and return to SSL Configuration
mode.
(config-ssl[myDevice])> keyassoc localKeyAssoc
create
(config-ssl-keyassoc[localKeyAssoc])> pem server.pem
key.pem
(config-ssl-keyassoc[localKeyAssoc])>
end
(config-ssl[myDevice])>
Enter
Certificate Group Configuration mode, create the certificate group
CACertGroup, load the certificate object CACert, and return to SSL
Configuration mode.
(config-ssl[myDevice])> certgroup
CACertGroup create
(config-ssl-certgroup[CACertGroup])> cert
myCert
(config-ssl-certgroup[CACertGroup])>
end
(config-ssl[myDevice])>
Enter
Server Configuration mode, create the logical secure server
server1,assign an IP address, SSL and clear text ports, a security
policy myPol, the certificate group CACertGroup, key association
localKeyAssoc, and exit to Top Level mode.
(config-ssl[myDevice])>
server server1 create
(config-ssl-server[server1])> ip address
10.1.2.4 netmask 255.255.0.0
(config-ssl-server[server1])>
sslport 443
(config-ssl-server[server1])> remoteport
81
(config-ssl-server[server1])> secpolicy
myPol
(config-ssl-server[server1])> certgroup chain
CACertGroup
(config-ssl-server[server1])> keyassoc
localKeyAssoc
(config-ssl-server[server1])>
end
(config-ssl[myDevice])> end
(config[myDevice])>
end
inxcfg>
Save
the configuration to flash memory. If it is not saved, the
configuration is lost during a power cycle or if the reload command
is used.
inxcfg> write flash myDevice
inxcfg>
Resources
Additional documents and technical notes on SonicWALL SSL can be found online at http://www.sonicwall.com/
