Professional Documents
Culture Documents
Next Gen Usg SSL Import
Next Gen Usg SSL Import
SSL Certificate Import for USG / ZyWALL
Version / Revision: 1.2
Firmware used: 4.13(AAPH.1)C0
Date: 06‐11‐2015
Author: Kevin Drinkall
Step 1
Generate SSL Request, if you already have a wildcard certificate or a valid domain certificate you can
skip to Step 5.
Enter Host Domain Name ‐ this will be the domain/sub
Select Configure > Object > Certificate domain name that is validated by having the relevant
Select Host Domain Name DNS A record on a public facing WAN interface.
UK country code is GB
Key Length must be
2048 for valid Domain
Certificates that are
trusted by browsers.
Press OK when
completed allow 1‐2
Select what functions you would Select create a certification request… so that
like the SSL Certificate to be used minutes for the
you can use the generated request with the 3rd
for within the USG / ZyWALL. Certificate request to
party certificate authority.
be generated.
Once Generated it should appear in the My Certificates Settings
Your Certificate Name should
appear here once generated
Because this is a request the Type will be REQ
and the Issuer and Valid from will be set as
none.
Step 2
Open up the SSL Certificate Request “REQ” and copy the Certificate in PEM (BASE‐62) Encoded
Format code.
Cut the Certificate in PEM (BASE‐62)
Encoded Format. Ensure you include the:
‐‐‐‐START CERTIFICATE REQUEST ‐‐‐‐
And the
‐‐‐‐END CERTIFICATE REQUEST ‐‐‐‐
Step 3
Go to your 3rd Party SSL Certificate Authority. In this example we used Rapid SSL
(https://www.rapidssl.com/) but you can use any SSL Certificate authority that supports Browser
Compliant Certificates.
Puchase your SSL Certificate – During the process you will be requested to supply your Certifcate
Request. You will need to paste the content of Step 2 into their request box. This will then validate
the request.
Note: Many SSL Ceticifate providers will recommend that the SSL Certificate should be TLS 2.0 and/or
with SHA2 and will ask to re‐code the SSL Certificate. The USG / ZyWALL currenlty doesn’t support TLS
2.0. Make sure the Certifiacte is generated with TLS 1/1.3 and SHA1. TLS 2.0 support will be availabe
in a future release.
Step 4
Once generated your 3rd Party SSL Certificate Authority should provide you with the Certificate in
PEM (BASE‐62) Encoded Format. Open up notepad and paste the Certificate from the provider’s
website/email or download the file provided. The USG / ZyWALL supports the following formats;
X.509
PEM (Base‐64) X.509
Binary PKCS#7
PEM (Base‐64) PKCS#7
Binary PKCS#12
Ensure you include the:
‐‐‐‐BEGIN CERTIFICATE ‐‐‐‐
And the
‐‐‐‐END CERTIFICATE ‐‐‐‐
Save the file to disk (in a location of you disire on you local device). You can call the file anything you
like note the file name will be what you select on device so is worth giving it a name of relevance
(This can be modified at a later date on the USG / ZyWALL). It will need to be saved as a pain text file
and you can save with the .txt extention but ideally should be .crt
Step 5
Import the Certificate by selecting “Import” and select Browse to search for the certificate on your
local device. If the Certificate is PKCS#12 (usually used for a global wildcard certificates) you will be
able to enter the password below the Browse button.
Password can be entered here if applicable to your SSL Certificate
Select Import to begin the import of Certificate
Once imported it shold replace the REQ with a type CERT and display the Issuer / Vaid from / Vaid to
information
Step6
You now need to import the root certificate of the provider into the “Trusted Certificates” you will
be able to download this from the provider’s website.
Configuration > Object > Certificate > Trusted Certificate > Import (button at bottom of page)
And it should show below:
If this stage is missed then the certificate you have imported under My Certificates will not be able
to validate itself and show “Invalid Path” within the Certification Path table (under the My
Certificates tab > Your Imported Certificate ).
If this has been successful your certificate under My Certificates should show Validation
Result=successful
Step 7
Allocating the SSL Certificate to functions within the USG / ZyWALL can be achieved by setting the
following settings:
HTTPS
Use the certificate on the USG / ZyWALL globally when you access the device via HTTPS:
Configure > System > WWW > Server Certificate
SSL Inspection
Use the certificate on the USG / ZyWALL for SSL Inspection (required if you want to filter HTTPS
traffic):
Configure > UTM Profile > SSL Inspection > Add (to create Profile)
IPSEC VPN (SSL)
Use the certificate on the USG / ZyWALL for VPN Authentication:
Configure > VPN > IPSEC VPN > VPN Gateway > Select existing or create new by selecting Add
L2TP VPN (SSL)
Use the certificate on the USG / ZyWALL for VPN Authentication:
Configure > VPN > L2TP VPN > Select “Authentication Server Certificate“