SonicOS Using Microsoft s CA Server with SonicWALL Devices Introduction You can use the Certificate Server that ships with Windows 2000/2003 Server to create certificates for SonicWALL devices, as well as the SonicWALL Global VPN Client. The certs can be used as the authentication mechanism when creating VPN tunnels between SonicWALL devices, or between SonicWALL devices and SonicWALL Global VPN Clients. This technote will detail how to use the Microsoft Certificate Server (MS CA) to perform these actions. In order to use certificates from the MS CA servers, the SonicWALL device must have firmware 6.3.x.x or newer installed. If you wish to use MS CA-generated client certificates, you must use the new SonicWALL Global VPN Client. Obtain a copy of the root certificate Each SonicWALL device and all SonicWALL Global VPN Clients must have a copy of the MS CA s root certificate installed before you begin. The root certificate is what the MS CA server uses to sign the certificates for your SonicWALL devices and the SonicWALL Global VPN Clients. When attempting to create a VPN tunnel using these certificates as the authentication mechanism, each side must be able to prove the identity and validity of each other s cert. This is done by verifying that each other s cert has been signed by a trusted third party in this case, the MS CA. If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to obtain a copy of the root certificate is via web browser. You can log into the MS CA server at http://x.x.x.x/certsrv/ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with the certificate services interface (see below). Select the radio button next to Retrieve the CA certificate or certificate revocation list and click on the Next> button.
Select the radio button next to DER encoded and then click on the Download CA certificate link. This will prompt you to save a copy of the CA s root cert to your local system. You may name the cert anything you wish. For example, name the cert root.cer when downloading. 2
3
Creating a Certificate Signing Request (CSR) on the SonicWALL device The SonicWALL GUI for firmware 6.3.x.x and newer include keypair and CSR generation tools. To create a keypair and a CSR to process with your private CA, open the SonicWALL device GUI, click on the VPN button, and select the Local Certificates tab. 1. Fill out CSR form in SonicWALL device and click on Generate For the most part, you can leave the drop-down boxes to their defaults and fill out each field as suggested by its corresponding drop-down box. An example is below: In the Country field, put the country code abbreviation instead of spelling out the name of the country. In the State field, put the full name of the state instead of the abbreviation. In the Common Name field, put the name for the SonicWALL device. For the Subject Key Size drop-down box, we suggest a key size of 1024 bits. If you do not fill out these fields correctly, your OpenSSL may reject the certificate request. The optional Subject Alternate Name field can be used to simplify VPN tunnel setup. Select Domain Name or Email-ID from the drop-down box and enter in the name or Email-ID of the SonicWALL device. This will allow you to identify peers with only their Subject Alternative Name instead of having to paste in the full Subject Distinguished Name. Please note that you must use this alternative name as the peer ID if the peer s local certificate shows one - you can t use Subject Distinguished Name. When you have filled out the form, click on the Generate button. This will create a public/private keypair on the SonicWALL, and then ask you to download and save a copy of the CSR, in the form of a PKCS#10 file (.p10 file). Save the file to your local system using whatever name you wish this is the file we ll be submitting to the MS CA server. 4
2. Submit the CSR to the MS CA If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to submit the firewall s CSR is via web browser. You can log into the MS CA server at http://x.x.x.x/certsrv/ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with the certificate services interface (see below). Select the radio button next to Request a certificate and click on the Next> button: 5
Select the radio button next to Advanced Request and click on the Next> button: Select the radio button next to Submit a certificate request using a base64 encoded PKCS#10 file and click on the Next> button: In the Saved Request entry box, paste in the contents of the CSR file you had downloaded from the SonicWALL. You will need to open this file with a text editor, copy the contents, 6
and paste them into this box. Or, depending on your browser security settings, you may be able to use the Browse for a file to insert feature to directly import the CSR. When done, click on the Submit> button. If the MS CA server is set for manual approval, you'll get the following message: Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested. If you see this message, you ll need to wait for the admin of the MS CA server to manually approve your certificate request. (Note -- if you re the admin, simply log into the MS CA server with the Certification Authority tool, navigate to the Pending Requests folder, right-click on the certificate request, and select Issue ). Once the certificate request has been granted, log back into the MS CA s with a web browser, select the radio button next to 'Check on a pending Certificate ', and then click the Next> button. Select your cert (it may be already highlighted by default) and then click on the Next> button. You will be presented with the following screen (below). Please note that if the MS CA is set for automatic approval, you ll see this screen immediately after submitting the CSR. 7
3. Import the CA s root cert and the firewall s cert into the SonicWALLIn the SonicWALL GUI, click on the VPN button and then the CA Certificates tab. From the Certificates drop-down box, select -Add New CA Certificate-. Navigate to the directory where the CA s cert islocated, select the root cert, and click the Import button. An example is below: 8
In the SonicWALL GUI, click on the VPN button and then the Local Certificates tab. From the Certificates drop-down box, select the name of your in-process certificate. Click on the Browse.. button, navigate to the directory where the firewall cert is located, select the firewall cert, and click the Import Certificate button. An example is below: 9
How to create client keys and certs The current 1.x version of the SonicWALL Global VPN Client does not have any mechanisms for creating a public/private keypair or a certificate signing request (CSR). In order to use third-party certificates with the SonicWALL Global VPN Client, you can use the MS CA to generate these items and then convert the private key and client certificate into PKCS#12 (.pfx) format before importing them. If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to create the client s keypair and certificate is via web browser. You can log into the MS CA server at http://x.x.x.x/certsrv/ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with the certificate services interface (see below). Select the radio button next to Request a certificate and click on the Next> button: 10
Select the radio button next to Advanced request and click on the Next> button: Select the radio button next to Submit a certificate request to this CA using a 11
form and then click on the Next> button: Fill out the certificate request form with the unique information for the user s client certificate. This information will be burned into the final certificate. Select Client Authentication Certificate from the drop-down box under Intended Purpose: enter 1024 for the key size, and make sure to check Mark keys as exportable. This last step is extremely important; if you do not check this box, you will not be able to export the private key with the certificate. When done, click on the Submit button at the bottom right-hand of the form: 12
If the MS CA server is set for manual approval, you'll get the following message: Your certificate request has been received. However, you must wait for an administrator to issue the certificate you requested. If you see this message, you ll need to wait for the admin of the MS CA server to manually approve your certificate request. (Note -- if you re the admin, simply log into the MS CA server with the Certification Authority tool, navigate to the Pending Requests folder, right-click on the certificate request, and select Issue ). Once the certificate request has been granted, log back into the MS CA s with a web browser, select the radio button next to 'Check on a pending Certificate ', and then click the Next> button. Select your cert (it may be already highlighted by default) and then click on the Next> button. You will be presented with the following screen (below). Please note that if the MS CA is set for automatic approval, you ll see this screen immediately after submitting the CSR (see below). In order to retrieve the client certificate, you will need to click on the Install this certificate link and allow it to install the certificate into the browser you re using. We ll explain why on the next page. 13
The next steps detail how you can retrieve the private key and client certificate from the web browser. As mentioned on the previous page, it was necessary to install the client certificate directly into the browser. This is because when you used the browser fill out the client request form, it actually created a public/private keypair, it actually created the keypair in the browser itself. From the Tools menu of the IE browser, select Internet Options. From that menu, select the Content tab and then click on the Certificates button. In the screen that appears, highlight the client certificate and click on the Export button, as seen below: 14
When the Certificate Export Wizard starts, click on the Next> button: Select the radio button next to Yes, export the private key and click on the Next> button: 15
Select the radio button next to Personal Information Exchange, check the box next to Include all certificates in the certification path if possible, check the box next to Enable strong protection, and then click on the Next key: You will be prompted to create a password to protect the file. Enter in a password, enter it again to confirm, and then click on the Next button: 16
You will be prompted for a path to save the file. Enter a path and a name for the exported private key and client certificate, and then click on the Next> button: To complete the export, click on the Finish button. You now have a password-protected private key and client certificate stored in a PKCS#12 (.pfx) file, ready for import into the SonicWALL Global VPN Client. The next section will detail how to import this file into the client. 17
How to load the client key/cert and root cert into the Global VPN Client Start the SonicWALL Global VPN Client. From the View Menu, select Certificate Manager. From the File Menu of the Certificate Manager, then select Import Certificate. Navigate to where the root cert and client cert files are located and import them both; you will be prompted to enter the export passphrase created on page 15. If the import was successful, you should be able to view the client cert and the CA cert. An example is below: 18
Prepared by SonicWALL, Inc. 04/18/2003 Last Edited: May 2008 19