Ping a Specific Port

Question

Nathan C

Asked: 2013-07-03 08:45:30 +0800 CST2013-07-03 08:45:30 +0800 CST 2013-07-03 08:45:30 +0800 CST

SonicWall and Windows CA

772

I'm attempting to import a certificate created by a CA I've set up in Windows using AD CS. I've done the following:

1) Created my own CA (MyCompany)
2) Enabled web services (mostly for ease of configuration)
3) Generated a certificate request on the Sonicwall itself
4) Used web services to sign the certificate
5) Imported the sign certificate into the Sonicwall ...this caused the certificate to show "No" for the Verified field.
6) Imported the CA's certificate.

This is where I get stuck. I attempted to import the CRL list, but get the following error: CRL Error - Verification failed using CA certificate. No further errors appear in the logs. Without the CRL list the certificate won't verify and it doesn't appear under the "Administration" page so I can select it for use via HTTPS.

Any ideas?

Edit: From Sonicwall when I attempt to use my HTTP published list:

07/02/2013 14:33:54.256 Alert   VPN PKI Cannot Validate Issuer Path         HTTPS        
19  07/02/2013 14:33:54.256 Alert   VPN PKI CRL validation failure for Root Certificate         MyCompanyCA      
20  07/02/2013 14:33:54.256 Alert   VPN PKI Failed to Process CRL from           http://crl.mydomain.com/Cert
Enroll/ CA: MyCompanyCA

2 Answers

Voted

Nathan C · Answer 1 · 2014-02-08T12:40:05+08:00

Best Answer

Nathan C

2014-02-08T12:40:05+08:002014-02-08T12:40:05+08:00

So, after coming back to this with a brand new CA, it appears there's actually a bug with SonicOS 5.8 that causes this issue. My CA certificate is SHA512 and SonicOS only supports SHA1. Unfortunately I can't upgrade to 5.9 yet (which resolves the issue). If this helps anyone else, awesome.

4

higuita · Answer 2 · 2013-07-16T11:51:52+08:00

higuita

2013-07-16T11:51:52+08:002013-07-16T11:51:52+08:00

Well, doing wild guesses, lets do this:

lets start with the stupid thing: are you sure you are importing the correct file?! :)
Are the DNS correct? Can the sonicwall resolve successful the crl.mydomain.com ?
Is time correct? make sure you have a ntp server configured in both sides, usually certificates management require correct time.
Does the crl url really downloads anything?
Can you see the windows CA logs, to confirm that the file is downloaded? or even better, load a sniffer (like wireshark) in the windows CA and see if you get any request, on what port you get the request and what you reply back. If you get nothing, check firewall, routing problems, acl , etc

If you get a request and reply successful with valid info, it's probably a sonicwall problem.

If all fails, open a service request to SonicWall, they should help you debug the problem

0

SonicWall and Windows CA

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?