:::: MENU ::::

Installing Wildcard SSL Certificates

  • Our SSL certificates were up for renewal so we began to investigated the most cost effective methods for our multipe SSL certificates.  We had two seperate certificates for SSL-VPN and our our Exchange server and expected to have needs for additional certificates.  This lead us to the decision of purchasing a Wildcard Certificate which allows us to use it for anything that is a sub domain of our primary domain name.

We have a SSL-VPN 2000 but Sonicwall doesn’t really have any documentation addressing use of the wildcard certificates on this appliance.  Their documentation is fairly straight forward of how to request and import a normal certificate so but makes no mention of using a Wildcard Cert.  Since the SSL-VPN’s certificate was going to expire sooner than our Exchange server’s and since process to import a certificate in the Sonciwall is a little more complex Windows IIS6 we decided start with the request from the SSL-VPN box.

The process to request and install the Certificate on the SSL-VPN 2000 is as follows:

  • Create a Backup of the SSL-VPN Appliance
  • Go to the System > Certificates page and click on the Generate CSR button.
  • Complete the CSR window. 
  • Enter the Fully Qualified Domain Name as *.domain.org
  • Enter your organization’s name as registered name with the State. 
    • Our first submission to the CA failed because we entered the organzation name as Northwoods Community Church but the CA required our request to be entered under the name Northwoods Community Church, Inc. We were told that this was the case because of the liablity value was higher with a Wildcard Certificate than with the inexpensive SSL certificates.
  • Enter and Document the request password.
    • You will need this when you import the certificate.
  • Save the csr.zip file from the SSL-VPN console to your local workstation.
  • Unzip the csr.zip and save the server.key file for use after you receive your certificate from the CA.
  • Open the server.csr file with notepad and copy the contents of the server.csr file to the CA web interface to make your request.
  • After the domain.org.crt file is received from the CA copy the .crt file and the .key file that was created during your csr request to a comon directory.
  • Rename the .crt file server.crt and zip the directory.
  • Be sure the .zip file is named certkey.zip
  • Login to the SSL-VPN Appliance, Go to System > Certificates.
  • Click on ‘Import certificate…’ button.
  • In the pop-up that appears, select the ‘certkey.zip’ file you just created and click on import.
  • If it is successful, the screen will now say ‘pending’.
  • Activate the certificate by clicking on Configure icon next to new cert.
  • You will be prompted to enter the password you entered when creating the CSR. Enter this and click on the Submit button. The screen will now say ‘inactive’.
  • This next step will reboot the box.
  • Select the Enable radio button next to the new certificate and click on the Apply button in the upper-right-hand corner.
  • After the reboot, your certificate is now active.

To install the certificate on an additional server, in our case a IIS6 web server,  you will need import the certificate as a .pfx. 

  • Download the cerficiate from your web browser to a .cer file going to the website that is using the SSL cert and choose view the certificate.
  • Go to the details tab and choose copy to file and save the certificate as a .cer format.
  • To import the certificate into IIS you will need to convert the .cer file to a .pfx file.
  • Convert the files using OpenSSL
    • After installing OpenSSL Click START > RUN then type cmd.exe.
    • You need to navigate to the path where you installed your OpenSSL binaries.
    • Within this directory chdir to bin
    • Type the following commands to convert the .CER to .PEM format:
      • openssl x509 -in <drive:pathtocert>.cer -inform DER -out <drive:pathtocert>.pem -outform PE
      • openssl.exe pkcs12 -in<drive:pathtonewcert>.pem -out <drive:pathtocert>.pfx -nodes
    • Take the exported .pfx file and save it in a location where you can access it from your IIS server.
  • Open IIS and go to the properties of the web you are configuring with the SSL certificate.
  • Go to the Directory Secuirty Tab and select Server Certificate under Secure Communications.
  • Choose Import a certificate from a .pfx file
  • Enter the password you gave the .pfx file when you created it.
  • After the certificate is imported rerun the wizard and Choose to ‘Assign an existing certificate’ to the site and choose the new certificate that you just imported.

You should now be able to browse the second web server and the SSL wildcard certificate should be activated.  Save the .pfx file for future use and it can be imported into a future webserver to utlize the wildcard certificate.


3 Comments

  • Reply John Flick |

    Do you still check this email. I’m having a bear of a time with a wildcard cert and a Sonicwall. I never am able to download a .key and a .crt file together. Wondering what advice you might have on it.

So, what do you think ?

UA-2932131-1