Automated SSL certificate renewal for SonicWall SonicOS

SonicWall firewalls won't update a renewed certificate on their own. CertKit will.

SonicWall firewalls bind a named certificate to the SSL VPN portal and to IPSec (IKEv2) VPN policies. When a certificate renews, the binding doesn't refresh until someone imports the new certificate through the SonicOS GUI or API, re-selects it on each service, and commits the configuration. Every 47 days. On every firewall you manage.

CertKit centralizes certificate issuance and renewal, then pushes the renewed certificate to your SonicWall devices automatically via the CertKit Agent and the SonicOS API, binds it to SSL VPN and IPSec, and commits the change.

Start free trial Watch demo

Built for SonicWall

Pre-built SSL VPN and IPSec templates ship in your CertKit account. No scripting required.

CertKit renews your SonicWall certificate for you. On every renewal it imports the new certificate, binds it to your SSL VPN and IPSec VPN, applies the change, and removes the old certificate. No console clicks, no manual import, no maintenance window to schedule.

Pre-built templates for SSL VPN and IPSec ship with your CertKit account. Point CertKit at your firewall once and it handles every renewal after that. If you want to see or adjust exactly what runs, the full deployment script is right there in your account.

How it works

 Your network            CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│  ┌─────────────┐  │     │                  │    │             │
│  │Deploy Agent │◄─┼─────┤  Issue & Renew   │◄──►│             │
│  └──┬────┬─────┘  │     │   Certificates   │    │             │
│     │    │SonicOS │     │                ┌───┐  └─────────────┘
│     │    │ API    │     └───────────┬────│DNS│
│     ▼    ▼        │                 │    └───┘
│ ┌──────────────┐  │                 │
│ │ SonicWall    │  │                 │
│ │ [x] Imported │  │ ◄───────────────┘
│ │ [x] Committed│  │       Verify
│ └──────────────┘  │
└───────────────────┘

CertKit issues and renews certificates centrally in the cloud using delegated DNS validation. You create a one-time CNAME record; CertKit handles every ACME challenge after that.

The deploy agent is a small service you run on a server inside your network. It makes an outbound HTTPS connection to CertKit to pull each renewed certificate, then connects to the SonicWall over the SonicOS API on your LAN to import the certificate, bind it to SSL VPN and IPSec, and commit. The firewall never talks to CertKit or the public internet directly, never runs ACME, needs no port 80 open, and never stores DNS credentials. One deploy agent can reach every SonicWall and other appliance on that network, so there's nothing to install on the firewalls themselves.

Our MSP works extensively with SonicWall. With certificate lifetimes getting shorter, we needed a solution to keep our clients' SSL VPN connections secure without overburdening our team. The team at CertKit delivered. They helped us develop a streamlined deployment method for SonicWall that makes certificate management simple and efficient. Even better, we're able to control the deployment window, preventing disruptions to our clients during the workday. I highly recommend CertKit to any organization struggling with certificate management.

Will Hoy, Owner, Norman Alan

What CertKit handles

Issue certificates via ACME, centrally. Your firewalls have no ACME configuration, no open ports, no public DNS credentials. One CNAME record is all your domain contributes.
Renew automatically before expiry. That one-time CNAME covers every renewal challenge going forward. No intervention required on any device.
Import the PFX over the SonicOS API, then commit. The CertKit Agent authenticates with Digest, enters config mode, uploads the renewed certificate and key, and commits the pending configuration in one pass.
Bind to SSL VPN and IPSec VPN. The agent binds the new certificate to the SSL VPN server and to IPSec (IKEv2) VPN policies, so NetExtender, Mobile Connect, and site-to-site tunnels all present the current certificate.
Work across SonicOS 7.1 and 7.3. The certificate import API changed between SonicOS versions. CertKit detects the version and uses the right endpoint automatically, so the same template covers both.
Clean up old certificates. CertKit names its certificates with a certkit_ prefix and removes the superseded ones after the new certificate is bound, so the firewall's certificate store doesn't fill up over time.
Deploy in your maintenance window. Swapping a firewall's certificate briefly affects SSL VPN and IPSec sessions. Schedule a deployment window per device so renewals roll out at 2am Sunday, not during the workday when users would notice.
Verify the deployment, not just the script. After each renewal, CertKit connects to your firewall's published service and confirms the new certificate is actually being served. It checks the serial number, SANs, and expiry. If something is wrong, you find out before your users do.
Alert on failure. Deployment failures, commit errors, verification mismatches, and upcoming expirations all generate alerts before they become incidents.
Audit every change. Every issuance, renewal, and deployment is logged with timestamp, certificate, and device. With certificate lifetimes heading to 47 days, that log is your compliance record.

Setup takes about ten minutes

Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
Enable the SonicOS API. Turn on the API with Digest authentication and create a scoped administrator account that can import certificates, update VPN settings, and commit.
Install the CertKit Agent. One command on any Windows or Linux host with HTTPS reachability to the firewall. The agent runs as a background service and needs no inbound firewall rules.
Add the SonicWall deployment script. The pre-built SSL VPN and IPSec templates are in your account. Set your firewall hostname and API credentials. CertKit runs them on every renewal.

See the full architecture →

Why not import certificates manually?

The standard SonicOS renewal workflow is a GUI sequence: import the certificate under Device → Certificates, re-select it on the SSL VPN server settings and on each IPSec VPN policy, then commit. That works once. Run it manually on a fleet of TZ, NSa, and NSsp firewalls every 47 days and it becomes a source of outages, missed bindings, and expired SSL VPN portals discovered when a remote worker can't connect.

Running ACME directly on a firewall isn't really an option. Public CAs require HTTP-01 or DNS-01 validation, and neither is appropriate for a hardened security appliance. Storing DNS provider credentials on a firewall is a privilege escalation waiting to happen. Opening port 80 to the public on a perimeter device is worse.

The SonicOS API itself is fiddly: Digest authentication, a config-mode and commit lifecycle, multipart certificate uploads, and an import endpoint that changed between SonicOS 7.1 and 7.3. We built and tested the deployment against both versions so you don't have to. CertKit issues the certificate via delegated DNS validation, then the agent handles the import, the SSL VPN and IPSec bindings, the commit, and the cleanup as one verified step, with no ACME client on the firewall.

SonicWall is just one part of your network edge

Most networks have more than one place where TLS certificates live: load balancers, VPN concentrators, web servers, and other firewall vendors like Palo Alto. CertKit automates all of it from one account.

See all integrations

Start automating SonicWall certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing