This document provides instructions for installing SSL Certificates. If you are unable to use these instructions for your server, Symantec recommends that you contact either the vendor of your software or an organization that supports SSL Offloaders.
Step 1: Download the Intermediate CA certificate
- Download the Intermediate CA certificate from this link.
- Select the Managed PKI for SSL tab.
- Select the appropriate Intermediate CA certificate based on your SSL certificate product type.
NOTE: To check which certificate type you have purchased, follow the steps from this link.
- Copy the Intermediate CA certificate and paste it on a Notepad or Vi document.
- Make sure there are 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white spaces, extra line breaks or additional characters have been inadvertently added.
- Save the file as intermediate_ca.pem
Step 2. Obtain the SSL Certificate
- Once your Managed PKI for SSL administrator has approved your Certificate request, you will receive an email with a certificate download link, also attached (cert.cer), as well as in the body of the email itself.
- Copy the certificate, imbedded in the body of the email and paste it into a text file using Vi or Notepad.
NOTE: Do not use Microsoft Word or other word processing programs that may add characters. Confirm that there are no extra lines or spaces in the file.
The text file should look like:
NOTE: Click here to download the certificate from your Managed PKI for SSL subscriber services page.
Please select X.509 as a certificate format and copy only the End Entity Certificate.
- Save the certificate as YourDomain.pem
Step 3: Set up the chained certificate
- Now that you have the proper certificates, load the certificates into certificate objects.
- These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain.
NOTE: In the example, the name of the Transaction Security device is myDevice. The name of the secure logical server is server1. The name of the PEM-encoded certificate for your domain name is YourDomain.pem; the name of the PEM-encoded certificate chain is intermdiate_ca.pem. The names of the recognized and local certificate objects are trustedCert and myCert, respectively. The name of the certificate group is CACertGroup.
- Start the configuration manager.
- Attach the configuration manager and enter Configuration mode. (If an attach or configuration level password is assigned to the device, you are prompted to enter any passwords.)
inxcfg> attach myDevice
inxcfg> configure myDevice
- Enter SSL Configuration mode and create an Intermediate certificate named CACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSL Configuration mode.
(config-ssl[myDevice])> cert myCert create
(config-ssl-cert[CACert])> pem intermediate_ca.pem
- Enter Key Association Configuration mode, load the PEM-encoded CA certificate and private key files, and return to SSL Configuration mode.
(config-ssl[myDevice])> keyassoc localKeyAssoc create
(config-ssl-keyassoc[localKeyAssoc])> pem YourDomain.pem key.pem
- Enter Certificate Group Configuration mode, create the certificate group CACertGroup, load the certificate object CACert, and return to SSL Configuration mode.
(config-ssl[myDevice])> certgroup CACertGroup create
(config-ssl-certgroup[CACertGroup])> cert myCert
- Enter Server Configuration mode, create the logical secure server server1, assign an IP address, SSL and clear text ports, a security policy myPol, the certificate group CACertGroup, key association localKeyAssoc, and exit to Top Level mode.
(config-ssl[myDevice])> server server1 create
(config-ssl-server[server1])> ip address 10.1.2.4 netmask 255.255.0.0
(config-ssl-server[server1])> sslport 443
(config-ssl-server[server1])> remoteport 81
(config-ssl-server[server1])> secpolicy myPol
(config-ssl-server[server1])> certgroup chain CACertGroup
(config-ssl-server[server1])> keyassoc localKeyAssoc
- Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used.
inxcfg> write flash myDevice
- To verify if your certificate is installed correctly, use the DigiCert Checker
Sonicwall SSL Offloader
For more information, see Dell Software and Security Support.