Does anyone know how i can use my Letsencrypt wildcard cert for XG HTTPS scanning?? Ive got the cert installed and it works for everything but HTTPS scanning, I cant see how i can get the cert to show in the HTTPS scanning dropdown?
Can someone point me in the right direction please??
basically i want to use a cert that for HTTPS scanning that wont require a cert install on my clients.
JK
Hey john_kenny
Have you already performed the steps in this KB? Sophos XG Firewall: How to add an external certificate authority (CA)
Regards,
I dont quite know how i did it but ive managed to get my SSLFORFREE Letsencrypt cert to work in https scanning. I deleted a CA cert that i must have added wrong and then readded my CA bundle and its working..
Anyway thanks for the reply.
JK
Hi JK,
We are glad you were able to resolve the issue .
No i was mistaken, the cert went on to the CA page and i was able to select the cert on the web scanning page. But my browser is still showing the Sophos_sslappliance cert for HTTPs decrypt?? what could i have done wrong??
Ive got a Letsencrypt cert from SSLFORFREE as you can now get free wildcard certs, but they give it to you in crt format. Should i not add to the certificate page and just the CA page or what??
What openssl commands would convert my certificate.crt CAbundle.crt and private.key to the right format to use for HTTPs scanning??
thanks
JK
No i was mistaken, the cert went on to the CA page and i was able to select the cert on the web scanning page. But my browser is still showing the Sophos_sslappliance cert for HTTPs decrypt?? what could i have done wrong??
Ive got a Letsencrypt cert from SSLFORFREE as you can now get free wildcard certs, but they give it to you in crt format. Should i not add to the certificate page and just the CA page or what??
What openssl commands would convert my certificate.crt CAbundle.crt and private.key to the right format to use for HTTPs scanning??
thanks
JK
Hey John,
Take a look at this community thread (from our email appliance group, but the information still applies).
Hi,
simple answer: It is not possible to use a public wildcard ca for https.
detailed answer: https://community.letsencrypt.org/t/has-anyone-ever-set-up-a-transparent-https-proxy-with-lets-encrypt/47020
You would need a CA with privat key to create a certificate for every domain on earth.
Basically you would be possible to do man-in-the-middle inspection for every client, cause every client trust you. And at this point, we can stop using TLS/SSL at all.
I was under the impression HTTPS scanning could use any public CA? Letsencrypt does use a signed public CA so can it not be used with that CA?
Overwise where can i get a public CA cert from for free?? Surely there is a way to get a free CA cert that can be used for HTTPs inspection / scanning?
I have the CAbundle so that has the root CA in that, ive actually got the CA to register but its not actually working as the browsers still show the sophos cert. why would that be its selected in web scanning.
Ta
JK
Funny point: You are not able to get any CA to do https scanning, even if you Pay X million dollar.
To take a closer look into this: You need to buy a public CA! You would have to go to a root ca and ask them to give you their privat key. I think, they won´t do it, isnt it?
You need to have a CA, which can create a certificate for google.com for example. And every client on earth would trust you.
You can only use "self signed" CAs(like from your microsoft domain) or the onboard SSL CA.
Are you sure?? Just I was reading an article for another products https inspection, that said you could use a public CA. Surely its possible can i do it with a CSR? As long as its a CA root cert it should work right??
Is https decrypt and scan worth using?
JK
I am quite sure. This is a common question, because everybody wants it. You could do https scanning without need to push a cert to clients and you could scan guest networks.
Ok thanks for filling the gap in my understanding of the feature.
Is it worth using HTTPs scanning though? I realise its needed to decrypt HTTPs traffic, but what im i dont know is does this mean all HTTPs traffic goes unscanned completely without that setting enabled? Does Sophos XG use Signature based malware scanning on HTTP & HTTPS traffic then or not? If it does use signature based malware scanning then what advantage will enabling HTTPS decrypt and scan have over it being disabled?
Its just ive always worried about any sort of HTTPs inspection because wouldnt it in theory leave you at higher risk to be vunerable to Man in the Middle type attacks??
Basically im still undecided whether i really need to use HTTPs scanning or not??
Also one other thing ive never been sure of aswell is whether i should be using web filtering / malware scanning on XG as I use Sophos Central endpoint advanced too and I still wonder if they might conflict or cause problems in web scanning altogether as i know 2 malware scanners running at the same time is never a good idea. So should i pick one or the other then or is using both definitely OK?
Id love to hear thoughts on this?
Thanks
JK
Hi,
it is a common question. So you will find a couple of articles in the internet about https scanning / https inspection / tls inspection - Why should i use it, is it safe and so on.
XG is not able to detect malware with sandstorm / pattern based if you dont use https scanning. You can check it via eicar and a https site.
Next Question: Privat or company device?
There should be no conflict in central with XG, because we designed our products to work like this.
That answer was what ive been trying to find out for a while, I need HTTPs scanning on to use the web scanning features then??
Company device fully licenced with Central suite.
JK
