Scripting to SonicWall Firewall

If I am using Certify, then hopefully I can do this soon within the program? I have imported the Immediate Certs from Let’s Encrypt to the SonicWall Device.

Hi, we support scripting so you can create a script that converts the certificate to any required formats then copy/upload it automatically however if SonicWall doesn’t have an API to update the certificate then you’ll still be importing and restarting the applican manually (unless they have a built in way to use Let’s Encrypt).

The next major version of Certify The Web will support remote deployment to windows shares or via SSH/SFTP (linux etc) and will also allow you to run remote SSH scripts as part of your deployment step (such as restarting a service etc). That only works if your device/server supports that sort of thing though.

Can you provide a sample of scripting the output of a pem file with private key?

So it does look like sonic wall does have API support. However you have to be on a very recent version. 6.5.1 or higher.

1 Like

There are a couple of example here: Filezilla Server PS Script

The next major version will have this functionality as part of the UI.

My issue is I have several certificates in the assets/pfx folder path, how do I narrow it down to the right certificate (file) using the powershell script (i.e. can I check against the Subject Alternative Name and oldest expiration date instead since the filenames change all the time)?

Most examples have a line like this:

$pfx = $result.ManagedItem.CertificatePath

This is the exact path of the PFX file that was created for this script run. (if the run was successful)

Though if you want a vanilla solution, you can try something like:

$lastPfx = gci $certFolder\*.pfx | sort LastWriteTime | select -Last 1

Probably not designed as intended, but here is the code I have generating the keys:

param($result)

Alias to your OpenSSL install

set-alias ossl “C:\OpenSSL-Win64\bin\openssl”

Update keypath to where your keys will be saved and their names.

$Password = “Password”; #password to access certificate after expting
$CertName = “*.mydomain.com”; # name of the certificate to export
$ExportPathRoot = “C:\Scripts”
$keypath = “C:\Scripts”
$key = $keypath + “letsencrypt.key”
$rsakey = $keypath + “letsencrypt_rsa.key”
$pem = $keypath + “letsencrypt.pem”

Get the latest PFX file path

$CertListToExport = Get-ChildItem -Path cert:\LocalMachine\My | ?{ $.Subject -Like “CN=$CertName” -and $.Issuer -Like “CN=$RootCertName*” }
foreach($CertToExport in $CertListToExport | Sort-Object Subject)
{
# Destination Certificate Name should be CN.
# Since subject contains CN, OU and other information,
# extract only upto the next comma (,)
$DestCertName=$CertToExport.Subject.ToString().Replace(“CN=”,"");
$DestCertName=$DestCertName.Replace("*",“wildcard”);
$DestCertName

$CertDestPath = Join-Path -Path $ExportPathRoot -ChildPath "$DestCertName.pfx"

$SecurePassword = ConvertTo-SecureString -String $Password -Force –AsPlainText

# Export PFX certificate along with private key
Export-PfxCertificate -Cert $CertToExport -FilePath $CertDestPath -Password $SecurePassword -Verbose

}
#$pfx = $result.ManagedItem.CertificatePath
$pfx = $CertDestPath

Create the Key, RSA Key, and PEM file.

ossl pkcs12 -in $pfx -out $key -nocerts -nodes -passin pass:$Password
ossl rsa -in $key -out $rsakey
ossl pkcs12 -in $pfx -out $pem -nokeys -clcerts -passin pass:$Password

Hi, if your script works that’s great but it’s working against the information that we provide in the $result object, namely your trying to discover and export the cert from the certificate store rather than using the certificate file we already give you. Presumably you’re doing that because you couldn’t get the example script working or you want to run this script outside of the Certify renewal process.

Future versions will let you setup a deployment step (such as export to .pem etc) and defer execution until you call it from the command line, that way you can have renewals happen normally but the actual deployment (either locally or remote) can happen either manually during a maintenance window or on a scheduled task.