how to obtain a certificate from a windows certificate authority (ca)

Question/Title

Answer/Article

Article Applies To:

Affected SonicWALL Security Appliance Platforms:Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless

Firmware/Software Version: Sonic OS EnhancedServices: Certificates

Feature:

This article describes how to obtain a certificate from an internal CA for the purpose of SonicWALL Web Management.

Deployment Prerequisites.

Microsoft Windows Active Directory Services installed and configured.Microsoft Certificate Services installed and configured.Microsoft Internet Information Services (IIS) 7.0 installed and configure.

Deployment Steps:

Step 1. Exporting the CA Certificate from the Active Directory ServerStep 2. Importing the CA Certificate onto the SonicWALLStep 3. Creating a New Signing Request in SonicWALL ApplianceStep 4. Requesting certificate for the new signing Request by the MS Certificate AuthorityStep 5. Validating the Certificate on the SonicWALL ApplianceHow to Test

Procedure

Step 1: Exporting the Root CA Certificate from the Active Directory (AD) Server

1. In the AD server, launch the Certificate Authority application by Start > Run > certsrv.msc.

2. Right click on the CA you created and select Properties.

3. On the General tab, click the View Certificate button.

4. On the Details tab, select Copy to File.

5. Follow through the wizard, and select the DER Encoded binay X.509 (.cer) format.

6. Click browse and specify a path and filename to save the certificate.

7. Click on the Next button and click on Finish

UTM: How to obtain a Certificate from a Windows Certificate Authority (CA)

UTM: How to obtain a Certificate from a Windows Certificate Authority... http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8907&p=t

1 of 10 3/10/2013 6:15 AM


2 of 10 3/10/2013 6:15 AM

Step 2: Importing the CA Certificate onto the SonicWALL

To import the CA certificate onto the SonicWALL:

1. Navigate to System > Certificates.

2. Click on Import. Select the certificate file you just exported.

3. Select Import a CA certificate from a PKCS#7 (.p7b), PEM (.pem) or DER (.der or .cer) encoded file,

4. Click on Browse and Select the certificate file you just exported from the MS Certificate Authority.

5. Once the root certificate is selected, Click on the import button.

6. Once the CA root certificate is imported, it will be listed under the System > Certificates page with Type as CA Certificate


3 of 10 3/10/2013 6:15 AM

Step 3: Creating a Certificate Signing Request (CSR) in SonicWALL Applicance

To create a new signing request in SonicWALL:

1. Browse to System > CA Certificates

2. Click on New Signing Request


4 of 10 3/10/2013 6:15 AM

3. Fill out the CSR form in SonicWALL device and click on ‘Generate’. For the most part, you can leave the drop-down boxes to their defaults and fillout each field as suggested by its corresponding drop-down box. An example is below:

4. Refresh the page and the type will be changed to Pending Request.

5. Click on the Export button and save the file to your local system using whatever name you wish – this file will be submitted to the MS CA.


5 of 10 3/10/2013 6:15 AM

Step 4: Requesting a certificate for the CSR from the MS Certificate Authority

If the MS CA server is running IIS (and the admin has allowed access to this interface), the easiest way to submit the firewall’s CSR is via webbrowser.

1. Open a browser and enter ‘http://x.x.x.x/certsrv/’ (replace x.x.x.x with the IP address of your MS CA server). You will be presented with thecertificate services interface (see below).

2. Select the task Request a Certificate

3. Click on advanced certificate request.

4. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using abase-64-encoded PKCS #7 file.

5. Copy and paste the contents of the CSR in the Saved Request box.

6. Select Web Server under Certificate Template.


6 of 10 3/10/2013 6:15 AM

7. Select DER encoded and click on Download Certificate. Save the file to your local system using whatever name you wish – this file will beimported into SonicWALL appliance.

Step 5: Validating the Certificate on the SonicWALL Appliance

To validate the Certificate on the SonicWALL Appliance:

1. Navigate to the System > Certificates page.2. Click on Upload Signed certificate for the certificate that has Type Pending request.


7 of 10 3/10/2013 6:15 AM

3. Browse for the downloaded file from the CA and click on Upload

4. Once the certificate has been uploaded, the certificate will show Type as Local Certificate and Validated as YES


8 of 10 3/10/2013 6:15 AM

How to Test:Now that a signed certificate has been imported into the SonicWALL, it can be used for HTTPS management of SonicWALL interfaces as well as for SSL-VPN. To set theimported certificate as the management certificate, perform the following steps:

Navigate to System > AdministrationUnder the Web Management Settings section, select the imported certificate under Certificate Selection.Click on Accept to save the changes.

When logging into the SonicWALL after importing the signed certificate you may receive the following browser errors:


9 of 10 3/10/2013 6:15 AM

Error : "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trustthe certifying authority" - You get this error because the issuing CA certificate is not in the certificate store of the browser. To resolve it, install the certificate in thecertificate store of the browser.

Error: "The name on the security certificate is invalid or does not match the name of the site" - You get this error because you are accessing the site using adifferent name from the certificate Common Name (CN) you entered when creating the Certificate Signing Request (CSR). In the above example the SonicWALL is beingaccessed using an IP address although the CN in the certificate is sonicwall.local (see above) : You have two options to overcome this error:

1. When creating the CSR enter the CN as 192.168.168.168

2. Map the IP address of the SonicWALL to the CN.

KBID 8907

Date Modified 6/17/2011

Date Created 6/10/2011

Use Alerts to be notified when new information is added orchanged in an individual answer or topic of information you careabout. All Alert notifications sent in a single email once each day.

Notify me if this item has activity

Notify me if content in this topic has activity

or you can subscribe to our RSS feed for this topic by clicking thelink belowSubscribe


10 of 10 3/10/2013 6:15 AM

how to obtain a certificate from a windows certificate authority (ca)

Documents

certificate file

root ca certificate

ca root certificate

microsoft certificate

view certificate button

ms certificate authoritystep

nsa 240gen5 tz series

ca certificateutm