Importing a Global Server Certificate from Verisign and other PKCS#7 certificates into the SonicWALL SSL Accelerator

Transcription

1 Importing a Global Server Certificate from Verisign and other PKCS#7 certificates into the SonicWALL SSL Accelerator Introduction When obtaining a 128 bit SSL certificate, the choice for many are Step-Up certificates from Verisign and other vendors. When this type of certificate is sent from the certificate authority, the format is often in PKCS#7. This document will describe the process for importing a Global Server ID from Verisign and other PKCS#7 certificates into the SonicWALL SSL appliances via the configuration manager. What are Step-Up Certificates Step-up certificate is the generic name given to a class of certificates that allow export versions of browsers to support 128 SSL cryptography. In the past, browsers destined for outside the United States were limited to 40-bit cryptography. Certain certificate Authorities have obtained a special license from the US government to issue certificates that enable international versions of the browsers to do 128-bit encryption. This license allows them to issue Strong Encryption Certificates to enable strongly (128-bit) encrypted communications for international browsers. US domestic versions of all browsers should always give you 128-bit security, but your server must support 128 bit, and you must have generated a 1024 bit key. The different certificate authorities have different names for these types of certificates. For example, Verisign calls them Global Server ID, Microsoft call them Microsoft Server Gated Cryptography and Netscape uses the term SuperCert as the name. For the most part, the products contain the same features. What are Chained Certificates All SonicWALL Transaction Security devices support chained certificates. Chained certificates are used in several circumstances such as when a known, accepted certificate authority (CA) provides a certificate to attest that certificates created by a non-recognized party can be trusted. For example, a company may create its own certificates for internal use only; however, clients will not accept the certificates because a known CA has not created them. By chaining the trusted CA's certificate with private certificates, clients accept the internal certificates during SSL negotiations. Once the PKCS#7 certificate is separated into multiple certificates, prior to importing into the SSL appliance, the certificate will need to be imported using the chained certificate commands. The PKCS#7 certificate will have one or more intermediate certificates in addition to the CA server certificate.

2 Where to Begin Once you have submitted a certificate-signing request (CSR) according to the directions given by Verisign, you will receive an similar to the one below. Example PKCS#7 Certificate -----Original Message----- From: someone@verisign.com [mailto:someone@verisign.com] Sent: Thursday, February 29, :53 PM To: you@yourcompany.com Subject: Your Digital ID is ready Dear Applicant, Your Administrator has approved your request for a Server OnSite Class 3 Global Server ID. If you have any questions or problems, please contact your Administrator by replying to this message. THE COMMON NAME OF THIS CERTIFICATE: THE ORGANIZATION OF THIS CERTIFICATE: YOURCOMPANY INC. THE ORGANIZATION UNIT OF THIS CERTIFICATE: WEB1 Your VeriSign Global Server ID, is included within this message. VeriSign has digitally signed your Certificate, providing assurance that your certificate has not been damaged or changed without detection. The procedures for installing a Global Server ID differ substantially depending on which Web Server software package you are using. In particular, certain web server packages (such as Microsoft IIS) require that you install a single, integrated PCKS#7 chain. Other web server packages (such as Netscape Navigator) require that you install two certificates--a Server Certificate and an Intermediate CA Certificate. For installation instructions for your Global Server ID, please refer to : *********************************************** *********************************************** CERTIFICATES BEGIN HERE INTERMEDIATE CA CERTIFICATE (note - this is also referred to as SERVER CERT CHAIN-YOU DO NOT NEED THIS CERTIFICATE IF YOU ARE USING MICROSOFT IIS) -----BEGIN CERTIFICATE----- MIIFKDCCBJGgAwIBAgIQVl7d2FmYuFiBKMEpwN8MFjANBgkqhkiG9w0BAQQFADCB ujefmb0ga1uechmwvmvyavnpz24gvhj1c3qgtmv0d29yazexmbuga1uecxmovmvy avnpz24sieluyy4xmzaxbgnvbastklzlcmltawduieludgvybmf0aw9uywwgu2vy dmvyienbic0gq2xhc3mgmzfjmecga1uecxnad3d3lnzlcmlzawdulmnvbs9dufmg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w MTA0MjYwMDAwMDBaFw0wMjA0MjYyMzU5NTlaMH8xCzAJBgNVBAYTAlVTMQ4wDAYD

3 VQQIEwVUZXhhczEPMA0GA1UEBxQGSXJ2aW5nMSMwIQYDVQQKFBpWZXJpem9uIERh dgegu2vydmljzxmgsw5jljeomawga1uecxqfc3nscjexgjaybgnvbamuexd3dziw LnZlcml6b24uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPsGs5C5lN aywsmdsqehq41psnfqsikbvk8nifhoyrxkrposkasamm9f17xaopaunmvushl8oe MspBXsqL9wnFohWyJnxI0XA9e8RLnYyV2LvyzJh77VFdvyF0UWkmyVGJj+Iw/1/D X3T0ruwD1pSPnl5/d/sfkQfB07gIQEGzGQIDAQABo4ICZzCCAmMwCQYDVR0TBAIw ADCCAh8GA1UdAwSCAhYwggISMIICDjCCAgoGC2CGSAGG+EUBBwEBMIIB+RaCAadU aglzignlcnrpzmljyxrligluy29ycg9yyxrlcybiesbyzwzlcmvuy2usigfuzcbp dhmgdxnliglzihn0cmljdgx5ihn1ymply3qgdg8sihrozsbwzxjpu2lnbibdzxj0 awzpy2f0aw9uifbyywn0awnlifn0yxrlbwvudcaoq1btkswgyxzhawxhymxligf0 OiBodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTOyBieSBFLW1haWwgYXQgQ1BT LXJlcXVlc3RzQHZlcmlzaWduLmNvbTsgb3IgYnkgbWFpbCBhdCBWZXJpU2lnbiwg SW5jLiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyBV U0EgVGVsLiArMSAoNDE1KSA5NjEtODgzMCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVy avnpz24sieluyy4giefsbcbsawdodhmgumvzzxj2zwquienfulrbsu4gv0fsukfo VElFUyBESVNDTEFJTUVEIGFuZCBMSUFCSUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4 RQEHAQEBoQ4GDGCGSAGG+EUBBwEBAjAsMCoWKGh0dHBzOi8vd3d3LnZlcmlzaWdu LmNvbS9yZXBvc2l0b3J5L0NQUyAwEQYJYIZIAYb4QgEBBAQDAgZAMCAGA1UdJQQZ MBcGCWCGSAGG+EIEAQYKKwYBBAGCNwoDAzANBgkqhkiG9w0BAQQFAAOBgQCCeKcS 4nDccG5gLgHsqOpAXkjV4PrP5ldCPWbF+xNq2r7JqZVJXbc5yTb4WP0HYBKekn6H zn4pw+pukl3/zmzehvghfcpfl+fjtczk5urm5boij5lq1ge3rqxelyt+cg9cpr+q 1DSmw0H1AHk4l3z271nqOIsj3/fNxqnlgW1LNg== -----END CERTIFICATE----- SERVER SUBSCRIBER CERTIFICATE -----BEGIN CERTIFICATE----- MIIJzQYJKoZIhvcNAQcCoIIJvjCCCboCAQExADALBgkqhkiG9w0BBwGgggmiMIIF KDCCBJGgAwIBAgIQVl7d2FmYuFiBKMEpwN8MFjANBgkqhkiG9w0BAQQFADCBujEf MB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNp Z24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVy IENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5j b3jwlmj5ifjlzi4gtelbqklmsvrziexurc4oyyk5nybwzxjpu2lnbjaefw0wmta0 MjYwMDAwMDBaFw0wMjA0MjYyMzU5NTlaMH8xCzAJBgNVBAYTAlVTMQ4wDAYDVQQI EwVUZXhhczEPMA0GA1UEBxQGSXJ2aW5nMSMwIQYDVQQKFBpWZXJpem9uIERhdGEg U2VydmljZXMgSW5jLjEOMAwGA1UECxQFc3NscjExGjAYBgNVBAMUEXd3dzIwLnZl cml6b24uy29tmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqdpsgs5c5lnayws MdSqehQ41psNfqSiKBVk8nifhoyrXKrPoSKASamM9f17xaopauNmvUshL8oEMspB XsqL9wnFohWyJnxI0XA9e8RLnYyV2LvyzJh77VFdvyF0UWkmyVGJj+Iw/1/DX3T0 ruwd1pspnl5/d/sfkqfb07giqegzgqidaqabo4iczzccammwcqydvr0tbaiwadcc Ah8GA1UdAwSCAhYwggISMIICDjCCAgoGC2CGSAGG+EUBBwEBMIIB+RaCAadUaGlz IGNlcnRpZmljYXRlIGluY29ycG9yYXRlcyBieSByZWZlcmVuY2UsIGFuZCBpdHMg dxnliglzihn0cmljdgx5ihn1ymply3qgdg8sihrozsbwzxjpu2lnbibdzxj0awzp Y2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BTKSwgYXZhaWxhYmxlIGF0OiBo dhrwczovl3d3dy52zxjpc2lnbi5jb20vq1btoybiesbflw1hawwgyxqgq1btlxjl cxvlc3rzqhzlcmlzawdulmnvbtsgb3igynkgbwfpbcbhdcbwzxjpu2lnbiwgsw5j LiwgMjU5MyBDb2FzdCBBdmUuLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyBVU0Eg VGVsLiArMSAoNDE1KSA5NjEtODgzMCBDb3B5cmlnaHQgKGMpIDE5OTYgVmVyaVNp Z24sIEluYy4gIEFsbCBSaWdodHMgUmVzZXJ2ZWQuIENFUlRBSU4gV0FSUkFOVElF UyBESVNDTEFJTUVEIGFuZCBMSUFCSUxJVFkgTElNSVRFRC6gDgYMYIZIAYb4RQEH AQEBoQ4GDGCGSAGG+EUBBwEBAjAsMCoWKGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bs9yzxbvc2l0b3j5l0nquyaweqyjyiziayb4qgebbaqdagzamcaga1udjqqzmbcg CWCGSAGG+EIEAQYKKwYBBAGCNwoDAzANBgkqhkiG9w0BAQQFAAOBgQCCeKcS4nDc cg5glghsqopaxkjv4prp5ldcpwbf+xnq2r7jqzvjxbc5ytb4wp0hybkekn6hzn4p W+Pukl3/ZmZeHvghfCPfL+FjTCZk5urm5BOIJ5lq1GE3RqXeLyT+cG9CPr+Q1DSm w0h1ahk4l3z271nqoisj3/fnxqnlgw1lnjccbhiwggpboamcaqicecg0mo7jthui A6REZjhkq/kwDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoT DlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5

4 IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk3MDQxNzAwMDAwMFoXDTA0MDEw NzIzNTk1OVowgboxHzAdBgNVBAoTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAV BgNVBAsTDlZlcmlTaWduLCBJbmMuMTMwMQYDVQQLEypWZXJpU2lnbiBJbnRlcm5h dglvbmfsifnlcnzlcibdqsatiensyxnzidmxstbhbgnvbastqhd3dy52zxjpc2ln bi5jb20vq1btieluy29ycc5iesbszwyuiexjqujjteluwsbmvequkgmpotcgvmvy avnpz24wgz8wdqyjkozihvcnaqebbqadgy0amigjaogbanicgojwgqj9h4uyoswi ZSvhv9QF07zmNjuq8ExsW7bnqjxzRVWy8b3ql0LtmjQKFdSpXPVAJd3ZB8EysnVs xmq7o/5wj3fdqmp1md6tkox68qk787dntjn3xelaumed07kk/nawlull/itri1o8 OvkiT5CyAqdTnE8056sEsntvAgMBAAGjggHRMIIBzTALBgNVHQ8EBAMCAQYwEQYJ YIZIAYb4QgEBBAQDAgEGMDUGA1UdHwQuMCwwKqAooCaGJGh0dHA6Ly9jcmwudmVy axnpz24uy29tl3bjytmums4xlmnybdaqbgnvhsueizahbgpghkgbhvhfaqgbbglg hkgbhvhcbaegccsgaqufbwmbmiibnqydvr0gbiibldccasgwggekbgtghkgbhvhf AQcBATCCARMwKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9D UFMwgeYGCCsGAQUFBwICMIHZMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEagb9WZXJp U2lnbidzIENlcnRpZmljYXRpb24gUHJhY3RpY2UgU3RhdGVtZW50LCB3d3cudmVy axnpz24uy29tl0nquywgz292zxjucyb0aglzignlcnrpzmljyxrlicygaxmgaw5j b3jwb3jhdgvkigj5ihjlzmvyzw5jzsbozxjlaw4uifnptuugv0fsukfovelfuybe SVNDTEFJTUVEICYgTElBQklMSVRZIExURC4gKGMpMTk5NyBWZXJpU2lnbjAPBgNV HRMECDAGAQH/AgEAMA0GCSqGSIb3DQEBAgUAA4GBAAUjOBXu6wB3drXDPWBT3Dx9 cnggc8rrp0++eymyyh3gqzbwddlkg939yd7jk6mltczblokeijts3wowvi2th2jv UUJDzI+Ak9fQCihzCKNHFQ65LDPunEJ7s/iT89sOwO4kYZVtXdrpS27uAGQ+28NR F8J0I4K3O/YP7Y8/Yo0/MQA= -----END CERTIFICATE----- EXAMPLE - Instructions for using OpenSSL Now that you have received the certificate, we need to break the certificate up into the intermediate certificate and the server certificate so that we can enter them into the SonicWALL SSL appliance. 1. Start by saving the second certificate in the , the one following the text "SERVER SUBSCRIBER CERTIFICATE", to a file (e.g. /home/user/fullcert or C:\fullcert) 2. Launch openssl.exe. This application was installed at the same time and in the same location as the SonicWALL configuration manager. You can also run the install and just install OpenSSL by choosing the Custom Installation option. 3. Once launched, you will need to issue the following commands: (To output to the screen for screen cut and paste) pkcs7 -in C:\fullcert -print_certs Or (To output to a file for later cut and paste) pkcs7 -in C:\fullcert -print_certs -out C:\outfile This will output two x509v3 certificates. 4. Subject and Issuer information will be included in the output. Ignore this, and cut and paste only the "BEGIN CERTIFICATE" and "END CERTIFICATE" information on both certs. 5. The first cert should be the server cert. The second should be the intermediary cert. Save these files (e.g. C:\server.pem and C:\inter.pem) 6. Verify the certificate information with openssl:

5 x509 -in C:\server.pem -text (and) x509 -in :C\inter.pem -text EXAMPLE - Setting Up the Chained Certificates Now that you have the proper certificates, you start by loading the certificates into certificate objects. These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain. The name of the Transaction Security device is mydevice. The name of the secure logical server is server1. The name of the PEM-encoded, CA-generated certificate is server.pem; the name of the PEM-encoded locally generated certificate is inter.pem. The names of the recognized and local certificate objects are trustedcert and mycert, respectively. The name of the certificate group is CACertGroup. 1. Start the configuration manager as described in the manual. 2. Attach the configuration manager and enter Configuration mode. (If an attach-or configuration-level password is assigned to the device, you are prompted to enter any passwords.) inxcfg> attach mydevice inxcfg> configure mydevice (config[mydevice])> 3. Enter SSL Configuration mode and create an intermediary certificate named CACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSL Configuration mode. (config[mydevice])> ssl (config-ssl[mydevice])> cert mycert create (config-ssl-cert[cacert])> pem inter.pem (config-ssl-cert[cacert])> end (config-ssl[mydevice])> 4. Enter Key Association Configuration mode, load the PEM-encoded CA certificate and private key files, and return to SSL Configuration mode. (config-ssl[mydevice])> keyassoc localkeyassoc create (config-ssl-keyassoc[localkeyassoc])> pem server.pem key.pem (config-ssl-keyassoc[localkeyassoc])> end (config-ssl[mydevice])> 5. Enter Certificate Group Configuration mode, create the certificate group CACertGroup, load the certificate object CACert, and return to SSL Configuration mode. (config-ssl[mydevice])> certgroup CACertGroup create (config-ssl-certgroup[cacertgroup])> cert mycert (config-ssl-certgroup[cacertgroup])> end (config-ssl[mydevice])>

6 6. Enter Server Configuration mode, create the logical secure server server1,assign an IP address, SSL and clear text ports, a security policy mypol, the certificate group CACertGroup, key association localkeyassoc, and exit to Top Level mode. (config-ssl[mydevice])> server server1 create (config-ssl-server[server1])> ip address netmask (config-ssl-server[server1])> sslport 443 (config-ssl-server[server1])> remoteport 81 (config-ssl-server[server1])> secpolicy mypol (config-ssl-server[server1])> certgroup chain CACertGroup (config-ssl-server[server1])> keyassoc localkeyassoc (config-ssl-server[server1])> end (config-ssl[mydevice])> end (config[mydevice])> end inxcfg> 7. Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used. inxcfg> write flash mydevice inxcfg> Summary Once the PKCS#7 certificate is separated into the intermediate certificate and the server certificate, importing the chained certificates via the SonicWALL configuration manager is a simple process. Although this document refers specifically to the Verisign Global Server ID, the process is similar for any PKCS#7 formatted certificate. If you have any questions regarding this document and the process involved, please contact SonicWALL Technical Support between the hours of 8:30 AM and 5:30 PM Pacific Standard Time, Monday through Friday. Phone:(408) Fax:(408) Web:<