Acquiring Certificate for Sonicwall VPN Connection
It is usually considered to be more secure to use digital certificates for the purposes of authentication rather than using the VPNs pre-shared keys. One of the methods that are commonly used to authenticate 2 peer devices while establishing an IPsec VPN tunnel is through the digital certificate. Another option is through IKE that uses pre-shared keys. Some of the features that come with IKE authentication that is certificated in the SonicWall VPN connection includes:
- A digital certificate that is provided by a third party CA such as Verisign.
- The administrator at SonicWall can create a CSR and have this signed by the CA.
- There is a need for the two parties to trust the certificate’s issuer.
This article will guide you on acquiring certificates the from Sonicwall VPN connection. This certificate signing process that we are guiding you through uses the Windows Server 2008 CA.
Creating A Certificate Signing Request
- You will need to start by logging into SonicWall’s management GUI.
- Click on System and then Certificate page.
- Navigate to New Signing Request in order to create the same CSR
- Click Generate in order to save
- Refresh that page
- Click download
How to Get A Certificate For The Wan Groupvpn Configuration
- On your browser, you will need to go to the enrollment page on Microsoft Windows. You can find it on http:///CertSrv
- You will be prompted to authenticate. You will need to enter your username as well as the password.
- You can now go to Request a certificate > Advanced certificate request
- Use the Saved Request box to copy the CSR’s content.
- Click on Certificate Template and choose Administrator. You should take note that the web server or user template can also end up chosen.
- You can enter san:email=<local-part@domain.com or san:dns=yourdomainname.com. After clicking Submit, you will go to the next page where you can now click on Download Certificate. This will make it possible for you to save the already signed certificate to the disk.
Downloading CA Certificate
- Visit the enrolment page of Microsoft Windows on http:///CertSrv
- Click on Download CA certificate
- Move to the next page and again click Download CA certificate. You can save in on your disk
You can visit SonicWall VPN connection and use the button under CSR pending request to upload the already signed certificate. In order to gain trust and to validate the already signed certificate, you can import it.
Getting Certificate for The GVC Clients
- You will need to go to http:///CertSrv. This is the certificate enrollment page for Microsoft Windows.
- You will be asked to authenticate details. You will need to enter your username as well as password of the domain user
- You can request the certificate
- Click under the advanced certificate request
- Go to certificate template and choose User or Administrator
You should bear in mind that if you need a site to site GVC or VPN that has Key Usage, where present, you should have digital Signature as well as Non-Repudiation and an Extended key Usage (EKU). Where this is present, there is a need for Client Authentication, if it works. If you are using L2PT or IPSec VPN and there is Key Usage, ensure that you make use of Digital Signature or/and Non-repudiation.