PCI Compliance Failure

So, for the first time we had to have a network scan for our Compliance. The scan is failing due to having a port open for use with our Sonicwall SSLVPN.

They say we need to “Please install a server certificate signed by a trusted third-party Certificate Authority.”

This is something we have never done or needed. If anyone can help with the following questions…

Ever run into this and figured a solution that does not require a cert?

How much to certs cost?

Where is a recommended place to get one?

Any recommendations on how to install/use it?

StartSSL provides 1 year SSL certs for free.

https://www.startssl.com/

You can use their wizards to create the CSR (request), decode the private key, and generate a certificate bundle.

I am afraid I cannot help you with the sonic wall though, never used one.

Simply put, buy a certificate. There are lots of options to buy, but the RapidSSL Domain Validated option is one of the cheapest.

https://www.thesslstore.com/rapidssl/rapidssl-certificates.aspx

So can you get a certificate based on just an IP? Or does it have to be a domain?

If you can use an IP, what happens if our static IP changes?

A certificate is for a specific DNS hostname (i.e. www.yourdomain.com) or all hosts under a domain, known as a “wildcard” certificate (i.e. *.yourdomain.com), not for an IP address. The advantage of the wildcard cert is that you can typically install it anywhere in your domain that needs a cert. The downside is that they’re more expensive. (the purists here will also point out that you can have a in-between kind of cert issued for a single hostname yet add other hosts/domains via the SAN field, but that’s just getting into the deep weeds for you.)

Anyway, I would start here https://www.digicert.com/csr-creation.htm I love digicert as a CA, and they are by far NOT the cheapest, but also give you instructions freely on what to do with a cert, no matter where you get it from.

Yep, a certificate is a bit of a pain to get and install but they’re cheap now. There is no workaround to getting one if you need to keep using the SSLVPN and also remain compliant. I use ssls.com, you can get a 3 year for $15. LetsEncrypt provides free certificates but it’s best run from a server where you can automate the issuance and renewal since they only offer 3-month certificates, through their API. For equipment like a SonicWALL I’d use ssls.com’s cheapest offer or any of the other suggestions in the thread (the RapidSSL certs for $5/year and the ones for $15/year are essentially the same).

Keep in mind that while Startcom (StartSSL) offers free one-year certificates, they were just bought (on the sly) by WoSign, a Chinese certificate authority that was just caught backdating and doing some other sketchy stuff against web browers’ terms of service for trusted root authorities, and there’s a chance that Startcom (and almost certainly WoSign) root certificates will be removed from being trusted to issue certificates for Firefox and potentially Edge and Chrome, so they may not be the best long-term choice when ssls.com is $15 for three years :slight_smile:

I also have a SonicWALL and was able to justify the reasoning to them and they gave me an exception for it without purchasing a certificate

Very interesting. I was able to fill out something on the form and they granted what appears to be a 90 exception. I do not know if that means I can do another 90 exception each time, or if they will require a cert after the 90 days.

I think I will bookmark this thread and see what happens in January when I scheduled the next scan. After that, I may be back to get help with a cert. Thanks everyone for your feedback, this info is invaluable.

These are the certificates we typically use for network devices.

Yeah for a bit of time every three years plus $15 for three years, it seems like the best long-term solution is to actually get a certificate. You gain server authentication–if you connect to the firewall over the Internet for administration, having a valid certificate means that when you get a warning, you’re not actually connecting directly to the device and someone is intercepting the traffic. With a self-signed certificate, you have no way to authenticate that the connection is encrypted end-to-end without interception (it may still be encrypted, just not necessarily all the way through without someone decrypting in the middle). Unless you manually trust the self-signed certificate on every device you use for administration–and if you’re going to do that, just getting a trusted certificate on the server is probably the best use of your time and money.

You do need a domain name with a DNS entry (subdomain) pointing to the IP address of the firewall, and you need to use that hostname with https:// in front of it to access the device and validate the certificate properly (you’ll get a hostname error if you use the IP or a different hostname for administration). But it’s a great little security addition.

Separately, many vendors include self-signed certificates that are the SAME in all their devices, or did at one time in their older firmware, rather than generating a unique certificate for each device. This means that even using the built-in certificate, anyone can see the transmitted data if intercepted because the keys are generally known / public. Current firmware on most enterprise gear has fixed this problem but there are a lot of lower-end systems with similar issues still out there. So generating your own certificate, or ideally buying a trusted one, is right up there with changing default passwords from a security standpoint.

Thanks for all the info. We are actually working right now to get a better internet connection which would change our provider and IP address. Since we have at least 90 days, I am going to wait on looking into the cert until we make the switch.

Keep in mind that certs identify the name but not an IP. If your provider or IP changes, just update the DNS for your device(s) using the cert(s) to point to the new IP(s) and you’re all set. Certs stay the same.

Yeah, I understand that. I just figured I would wait since I have the time.

Okay, looking at doing this now. It looks like with the domain I use I will have to have email addresses available to validate the domain.

We use DNSMadeEasy, can I simply point everything to our IP address except email, and point that to our Office365 account?

Yes, you can add and validate another domain in Office 365 and add a new account or alias using it for the email address you need. Might take a little time to take effect (normal for Office 365–I would make sure you can get test email at the new address before using it for validation) but then it should work fine!

Yeah; generally administrator@ is the email that’s the easiest to use. Also, if you’re doing a subdomain most certificate vendors will accept an email from the parent domain.

eg., administrator@mywonderful.church could validate for a certificate issued to *.internal.mywonderful.church

1 Like

Okay, I have purchased from ssls.com and received the email with a zip file containing four .crt files.

However, I can not see anywhere to import them on my Sonicwall. All the online instructions are outdated. They show importing a zip file and nowhere on the current firmware do I find a place to import a zip. It only wants…

“File should be PEM (.pem) or DER (.der or .cer) encoded”

Did I get the wrong thing? Any ideas what to do now?

Okay, I just tried importing the .crt file and it took it. How do I now check to make sure everything is working properly?

I generally use SSL Server Test (Powered by Qualys SSL Labs) to test my SSL environments. Just put your domain name in and it will take care of the rest. It will give you a rating and pointers on things you can do to improve your score.

SSLLabs is great, I’ve used TestSSL.sh for alternate ports/protocols (SMTP, 8443, etc) as well since SSLLabs will only test HTTPS on port 443.