Scripting to SonicWall Firewall

If I am using Certify, then hopefully I can do this soon within the program? I have imported the Immediate Certs from Let’s Encrypt to the SonicWall Device.

Hi, we support scripting so you can create a script that converts the certificate to any required formats then copy/upload it automatically however if SonicWall doesn’t have an API to update the certificate then you’ll still be importing and restarting the applican manually (unless they have a built in way to use Let’s Encrypt).

The next major version of Certify The Web will support remote deployment to windows shares or via SSH/SFTP (linux etc) and will also allow you to run remote SSH scripts as part of your deployment step (such as restarting a service etc). That only works if your device/server supports that sort of thing though.

Can you provide a sample of scripting the output of a pem file with private key?

So it does look like sonic wall does have API support. However you have to be on a very recent version. 6.5.1 or higher.

1 Like

There are a couple of example here: Filezilla Server PS Script

The next major version will have this functionality as part of the UI.

My issue is I have several certificates in the assets/pfx folder path, how do I narrow it down to the right certificate (file) using the powershell script (i.e. can I check against the Subject Alternative Name and oldest expiration date instead since the filenames change all the time)?

Most examples have a line like this:

$pfx = $result.ManagedItem.CertificatePath

This is the exact path of the PFX file that was created for this script run. (if the run was successful)

Though if you want a vanilla solution, you can try something like:

$lastPfx = gci $certFolder\*.pfx | sort LastWriteTime | select -Last 1

Probably not designed as intended, but here is the code I have generating the keys:

param($result)

Alias to your OpenSSL install

set-alias ossl “C:\OpenSSL-Win64\bin\openssl”

Update keypath to where your keys will be saved and their names.

$Password = “Password”; #password to access certificate after expting
$CertName = “*.mydomain.com”; # name of the certificate to export
$ExportPathRoot = “C:\Scripts”
$keypath = “C:\Scripts”
$key = $keypath + “letsencrypt.key”
$rsakey = $keypath + “letsencrypt_rsa.key”
$pem = $keypath + “letsencrypt.pem”

Get the latest PFX file path

$CertListToExport = Get-ChildItem -Path cert:\LocalMachine\My | ?{ $.Subject -Like “CN=$CertName” -and $.Issuer -Like “CN=$RootCertName*” }
foreach($CertToExport in $CertListToExport | Sort-Object Subject)
{
# Destination Certificate Name should be CN.
# Since subject contains CN, OU and other information,
# extract only upto the next comma (,)
$DestCertName=$CertToExport.Subject.ToString().Replace(“CN=”,"");
$DestCertName=$DestCertName.Replace("*",“wildcard”);
$DestCertName

$CertDestPath = Join-Path -Path $ExportPathRoot -ChildPath "$DestCertName.pfx"

$SecurePassword = ConvertTo-SecureString -String $Password -Force –AsPlainText

# Export PFX certificate along with private key
Export-PfxCertificate -Cert $CertToExport -FilePath $CertDestPath -Password $SecurePassword -Verbose

}
#$pfx = $result.ManagedItem.CertificatePath
$pfx = $CertDestPath

Create the Key, RSA Key, and PEM file.

ossl pkcs12 -in $pfx -out $key -nocerts -nodes -passin pass:$Password
ossl rsa -in $key -out $rsakey
ossl pkcs12 -in $pfx -out $pem -nokeys -clcerts -passin pass:$Password

Hi, if your script works that’s great but it’s working against the information that we provide in the $result object, namely your trying to discover and export the cert from the certificate store rather than using the certificate file we already give you. Presumably you’re doing that because you couldn’t get the example script working or you want to run this script outside of the Certify renewal process.

Future versions will let you setup a deployment step (such as export to .pem etc) and defer execution until you call it from the command line, that way you can have renewals happen normally but the actual deployment (either locally or remote) can happen either manually during a maintenance window or on a scheduled task.

@oda_ag - Just out of curiosity, did you ever make a PowerShell script for the SonicWALL?

no, SonicWALL SonicOS API is too immature to upload a certificate and they won’t build in a proper ACME client. Still a manual process for me.

@oda_ag I don’t know if you’ve had a chance to take a look at the SonicWALL OS 7, but it has a lot more API capabilities now. I’m going to link an API reference in this chat. I don’t know if you would like to collaborate with me on developing this.

Introduction to SonicOS API | SonicWall

About SonicOS 7.0 (sonicwall.com)

Swagger UI (sonicwall.com)

So, I see that the SonicOS API appears to be getting a bit more “love”, even on v6.5. With the ability to export the certificates from the Certify UI as a Deployment task, I’m wondering if there has been any progress made towards automating the deployment to a SonicWall firewall (I’m using a TZ400)?

I only have a total of four SSL’s I want to “migrate” to Let’s Encrypt certs, but one of them is on this firewall, one is on an isolated server for RD Gateway, and the other two are on another server running IIS and WS_FTP. I’m new to all this Let’s Encrypt/ACME stuff and not particularly good with PowerShell, so I’m really hoping to find something to make my life easier. :stuck_out_tongue:

1 Like

I am still on Sonic OS 6.5 and still doing it manually for the TZ400. I do know that Certify The Web updates the RD Gateway very nicely.

2 Likes