Search Support
contact us

Let Us Make it Easy for You. Call 1-877-898-3290 for MyTime Support™. Learn More

Installing SSL Certificate Topics

Article Rating: 2 / 5 Votes: 17

Installation of an EV SSL Certificate for SonicWall SSL Offloader

Installation of an EV SSL Certificate for SonicWall SSL Offloader


Chained Certificates


All SonicWall SSL Offloaders support chained certificates. Once the certificates are unzipped into multiple certificates prior to importing into the SonicWall SSL Offloader, the certificate will need to be imported using the chained certificate commands. The certificates will have a root certificate, and an intermediate CA certificate in addition to the server/domain certificate.


EXAMPLE - Instructions for using OpenSSL


Now that you have received the certificate, you will need to unzip the certificates up into the root, intermediate and the server certificates so that you can enter them into the SonicWall SSL Offloader.


Start by unzipping the 5 certificates, you will only need the Intermediate CA files and your Site/Domain certificates.

Launch openssl.exe. This application was installed at the same time and in the same location as the SonicWall configuration manager. You can also run the install and just install OpenSSL by choosing the 'Custom Installation' option.


Once launched, open the Intermediate CA files (named UTNAddTrustServer_CA.crt, NetworkSolutionsUTNServerCA.crt, and NetworkSolutionsEVSSLCA.crt) and open the Site/Domain certificate file (named "".crt where "" is your domain) in a text editor.

First save the Site/Domain certificate file (e.g. C:/server.pem)


Next copy and paste all of the contents of UTNAddTrustServer_CA.crt into a text editor. Then copy and paste all of the contents of NetworkSolutionsUTNServerCA.crt just after it. Then copy and paste all of the contents of NetworkSolutionsEVSSLCA.crt after that. When copying, you must copy the entire text including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. There should be no whitespace or blank lines.

Save this file (e.g. C:\inter.pem)

Verify the certificate information with openssl:
x509 -in C:\server.pem -text
x509 -in :C\inter.pem -text


EXAMPLE - Setting Up the Chained Certificates


Now that you have the proper certificates, you start by loading the certificates into certificate objects. These separate certificate objects are then loaded into a certificate group. This example demonstrates how to load two certificates into individual certificate objects, create a certificate group, and enable the use of the group as a certificate chain. The name of the Transaction Security device is myDevice. The name of the secure logical server is server1. The name of the PEM-encoded, CA generated certificate is server.pem; the name of the PEM-encoded certificate is inter.pem. The names of the recognized and local certificate objects are trustedCert and myCert, respectively. The name of the certificate group is CACertGroup.

Start the configuration manager as described in the manual.

Attach the configuration manager and enter Configuration mode. (If an attach or configurationlevel password is assigned to the device, you are prompted to enter any passwords.)
inxcfg> attach myDevice
inxcfg> configure myDevice


Enter SSL Configuration mode and create an intermediary certificate named CACert, entering into Certificate Configuration mode. Load the PEM-encoded file into the certificate object, and return to SSL Configuration mode. (config[myDevice])> ssl
(config-ssl[myDevice])> cert myCert create
(config-ssl-cert[CACert])> pem inter.pem
(config-ssl-cert[CACert])> end


Enter Key Association Configuration mode, load the PEM-encoded CA certificate and private key files, and return to SSL Configuration mode.
(config-ssl[myDevice])> keyassoc localKeyAssoc create
(config-ssl-keyassoc[localKeyAssoc])> pem server.pem key.pem
(config-ssl-keyassoc[localKeyAssoc])> end

Enter Certificate Group Configuration mode, create the certificate group CACertGroup, load the certificate object CACert, and return to SSL Configuration mode.
(config-ssl[myDevice])> certgroup CACertGroup create
(config-ssl-certgroup[CACertGroup])> cert myCert
(config-ssl-certgroup[CACertGroup])> end


Enter Server Configuration mode, create the logical secure server server1,assign an IP address, SSL and clear text ports, a security policy myPol, the certificate group CACertGroup, key association localKeyAssoc, and exit to Top Level mode. (config-ssl[myDevice])> server server1 create
(config-ssl-server[server1])> ip address netmask
(config-ssl-server[server1])> sslport 443
(config-ssl-server[server1])> remoteport 81
(config-ssl-server[server1])> secpolicy myPol
(config-ssl-server[server1])> certgroup chain CACertGroup
(config-ssl-server[server1])> keyassoc localKeyAssoc
(config-ssl-server[server1])> end
(config-ssl[myDevice])> end
(config[myDevice])> end


Save the configuration to flash memory. If it is not saved, the configuration is lost during a power cycle or if the reload command is used.
inxcfg> write flash myDevice



Additional documents and technical notes on SonicWALL SSL can be found online at