13 Why Do I See The Status "Pending" After Importing A New Certificate And Private Key; 14 Can I Have More Than One Certificate Active If I Have Multiple Virtual Hosts; 16 Can I Store The Key And Certificate; 17 Does The Sma/Sra Appliance Support Client-Side Digital Certificates - Dell SMA 200 Administration Manual

13 Why do I see the status "pending" after importing a new certificate and private key?

Answer: Click the 'configure' icon next to the new certificate and enter the password you specified
when creating the Certificate Signing Request (CSR) to finalize the import of the certificate. After this is
done, you can successfully activate the certificate on the SMA/SRA appliance.

14 Can I have more than one certificate active if I have multiple virtual hosts?

Answer: It is possible to select a certificate for each Portal under the Portals > Portals: Edit Portal -
Virtual Host tab. The portal Virtual Host Settings fields allow you to specify separate IP address, and
certificate per portal. If the administrator has configured multiple portals, it is possible to associate a
different certificate with each portal. For example, sslvpn.test.sonicwall.com might also be reached
by pointing the browser to virtualassist.test.sonicwall.com. Each of those portal names can have its
own certificate. This is useful to prevent the browser from displaying a certificate mismatch warning,
such as "This server is abc, but the certificate is xyz, are you sure you want to continue?"
15 I imported the CSR into my CA's online registration site but it's asking me to tell them what kind of
Webserver it's for. What do I do?
Answer: Select 'Apache'.

16 Can I store the key and certificate?

Answer: Yes, the key is exported with the CSR during the CSR generation process. It's strongly
recommended that you can keep this in a safe place with the certificate you receive from the CA. This
way, if the SMA/SRA appliance ever needs replacement or suffers a failure, you can reload the key and
cert. You can also always export your settings from the System > Settings page.

17 Does the SMA/SRA appliance support client-side digital certificates?

Answer: Yes, client certificates are enforced per Domain or per User on the Users > Local Users: Edit
User – Login Policies tab.
• Per Domain/Per User client certificate enforcement settings:
• Option to Verify the user name matches the Common Name (CN) of the client certificate
• Option to Verify partial DN in the client certificate subject (optional). The following
variables are supported:
User name: %USERNAME%
Domain name: %USERDOMAIN%
Active Directory user name: %ADUSERNAME%
Wildcard: %WILDCARD%
• Support for Microsoft CA Subject Names where CN=<Full user name>, for example CN=John Doe.
Client certificate authentication attempts for users in Active Directory domains should have the
CN compared against the user's full name in AD.
• Detailed client certificate authentication failure messages and log messages are available in the
Log > View page.
• Certificate Revocation List (CRL) Support. Each CA Certificate now supports an optional CRL
through file import or periodic import through URL.
The client certificate must be loaded into the client's browser. Also, remember that any
certificates in the trust chain of the client certificates must be installed onto the SMA/SRA
appliance.
18 When client authentication is required my clients cannot connect even though a CA certificate has been
loaded. Why?
Answer: After a CA certificate has been loaded, the SMA/SRA appliance must be rebooted before it is
used for client authentication. Failures to validate the client certificate also causes failures to logon.
Among the most common are certificate is not yet valid, certificate has expired, login name does not
match common name of the certificate, certificate not sent.
Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
479