A certificate is for a specific DNS hostname (i.e. www.yourdomain.com) or all hosts under a domain, known as a “wildcard” certificate (i.e. *.yourdomain.com), not for an IP address. The advantage of the wildcard cert is that you can typically install it anywhere in your domain that needs a cert. The downside is that they’re more expensive. (the purists here will also point out that you can have a in-between kind of cert issued for a single hostname yet add other hosts/domains via the SAN field, but that’s just getting into the deep weeds for you.)
Anyway, I would start here https://www.digicert.com/csr-creation.htm I love digicert as a CA, and they are by far NOT the cheapest, but also give you instructions freely on what to do with a cert, no matter where you get it from.
Yep, a certificate is a bit of a pain to get and install but they’re cheap now. There is no workaround to getting one if you need to keep using the SSLVPN and also remain compliant. I use ssls.com, you can get a 3 year for $15. LetsEncrypt provides free certificates but it’s best run from a server where you can automate the issuance and renewal since they only offer 3-month certificates, through their API. For equipment like a SonicWALL I’d use ssls.com’s cheapest offer or any of the other suggestions in the thread (the RapidSSL certs for $5/year and the ones for $15/year are essentially the same).
Keep in mind that while Startcom (StartSSL) offers free one-year certificates, they were just bought (on the sly) by WoSign, a Chinese certificate authority that was just caught backdating and doing some other sketchy stuff against web browers’ terms of service for trusted root authorities, and there’s a chance that Startcom (and almost certainly WoSign) root certificates will be removed from being trusted to issue certificates for Firefox and potentially Edge and Chrome, so they may not be the best long-term choice when ssls.com is $15 for three years
Very interesting. I was able to fill out something on the form and they granted what appears to be a 90 exception. I do not know if that means I can do another 90 exception each time, or if they will require a cert after the 90 days.
I think I will bookmark this thread and see what happens in January when I scheduled the next scan. After that, I may be back to get help with a cert. Thanks everyone for your feedback, this info is invaluable.
Yeah for a bit of time every three years plus $15 for three years, it seems like the best long-term solution is to actually get a certificate. You gain server authentication–if you connect to the firewall over the Internet for administration, having a valid certificate means that when you get a warning, you’re not actually connecting directly to the device and someone is intercepting the traffic. With a self-signed certificate, you have no way to authenticate that the connection is encrypted end-to-end without interception (it may still be encrypted, just not necessarily all the way through without someone decrypting in the middle). Unless you manually trust the self-signed certificate on every device you use for administration–and if you’re going to do that, just getting a trusted certificate on the server is probably the best use of your time and money.
You do need a domain name with a DNS entry (subdomain) pointing to the IP address of the firewall, and you need to use that hostname with https:// in front of it to access the device and validate the certificate properly (you’ll get a hostname error if you use the IP or a different hostname for administration). But it’s a great little security addition.
Separately, many vendors include self-signed certificates that are the SAME in all their devices, or did at one time in their older firmware, rather than generating a unique certificate for each device. This means that even using the built-in certificate, anyone can see the transmitted data if intercepted because the keys are generally known / public. Current firmware on most enterprise gear has fixed this problem but there are a lot of lower-end systems with similar issues still out there. So generating your own certificate, or ideally buying a trusted one, is right up there with changing default passwords from a security standpoint.
Thanks for all the info. We are actually working right now to get a better internet connection which would change our provider and IP address. Since we have at least 90 days, I am going to wait on looking into the cert until we make the switch.
Keep in mind that certs identify the name but not an IP. If your provider or IP changes, just update the DNS for your device(s) using the cert(s) to point to the new IP(s) and you’re all set. Certs stay the same.
Yes, you can add and validate another domain in Office 365 and add a new account or alias using it for the email address you need. Might take a little time to take effect (normal for Office 365–I would make sure you can get test email at the new address before using it for validation) but then it should work fine!
Okay, I have purchased from ssls.com and received the email with a zip file containing four .crt files.
However, I can not see anywhere to import them on my Sonicwall. All the online instructions are outdated. They show importing a zip file and nowhere on the current firmware do I find a place to import a zip. It only wants…
“File should be PEM (.pem) or DER (.der or .cer) encoded”
Did I get the wrong thing? Any ideas what to do now?
I generally use SSL Server Test (Powered by Qualys SSL Labs) to test my SSL environments. Just put your domain name in and it will take care of the rest. It will give you a rating and pointers on things you can do to improve your score.