Dell SonicWALL Secure Mobile Access 8.5Administration Guide 47913 Why do I see the status “pending” after importing a new certificate and private key?Answer: Click the ‘configure’ icon next to the new certificate and enter the password you specifiedwhen creating the Certificate Signing Request (CSR) to finalize the import of the certificate. After this isdone, you can successfully activate the certificate on the SMA/SRA appliance.14 Can I have more than one certificate active if I have multiple virtual hosts?Answer: It is possible to select a certificate for each Portal under the Portals > Portals: Edit Portal -Virtual Host tab. The portal Virtual Host Settings fields allow you to specify separate IP address, andcertificate per portal. If the administrator has configured multiple portals, it is possible to associate adifferent certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reachedby pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have itsown certificate. This is useful to prevent the browser from displaying a certificate mismatch warning,such as “This server is abc, but the certificate is xyz, are you sure you want to continue?”15 I imported the CSR into my CA’s online registration site but it’s asking me to tell them what kind ofWebserver it’s for. What do I do?Answer: Select ‘Apache’.16 Can I store the key and certificate?Answer: Yes, the key is exported with the CSR during the CSR generation process. It’s stronglyrecommended that you can keep this in a safe place with the certificate you receive from the CA. Thisway, if the SMA/SRA appliance ever needs replacement or suffers a failure, you can reload the key andcert. You can also always export your settings from the System > Settings page.17 Does the SMA/SRA appliance support client-side digital certificates?Answer: Yes, client certificates are enforced per Domain or per User on the Users > Local Users: EditUser – Login Policies tab.• Per Domain/Per User client certificate enforcement settings:• Option to Verify the user name matches the Common Name (CN) of the client certificate• Option to Verify partial DN in the client certificate subject (optional). The followingvariables are supported:User name: %USERNAME%Domain name: %USERDOMAIN%Active Directory user name: %ADUSERNAME%Wildcard: %WILDCARD%• Support for Microsoft CA Subject Names where CN=, for example CN=John Doe.Client certificate authentication attempts for users in Active Directory domains should have theCN compared against the user’s full name in AD.• Detailed client certificate authentication failure messages and log messages are available in theLog > View page.• Certificate Revocation List (CRL) Support. Each CA Certificate now supports an optional CRLthrough file import or periodic import through URL.The client certificate must be loaded into the client’s browser. Also, remember that anycertificates in the trust chain of the client certificates must be installed onto the SMA/SRAappliance.18 When client authentication is required my clients cannot connect even though a CA certificate has beenloaded. Why?Answer: After a CA certificate has been loaded, the SMA/SRA appliance must be rebooted before it isused for client authentication. Failures to validate the client certificate also causes failures to logon.Among the most common are certificate is not yet valid, certificate has expired, login name does notmatch common name of the certificate, certificate not sent.
