Removing the "Not secure" in browsers in Captive portal

Hi Kandarp Desai1 

Please refer to the article- https://community.sophos.com/kb/en-us/132678

The article will explain the scenario in detail.

Hi Keyur thanks for the response. I actually went thru the article before posting my query here.

Could you let me know if what we want is possible if we go with a Trusted SSL vendor like Godaddy?

Hi Kandarp Desai1 

As you have checked the article, you have referred the second method which is "Use a signed certificate by a trusted CA", it means you can use you any Trusted CA (Certificate Authority).

There are 2 options to get Certificate from Trusted CA.

1. Generate Certificate Signing Request (CSR) from the XG Firewall and send it to a Certificate Authority provider such as Verisign or Go daddy to sign it for you. The main benefit from this option is the customer chooses his certificate's private key (Not the CA provider). The private key has to be stored securely and never divulged.  
2. Ask the Certificate Authority provider to generate a CSR and sign it for you. With this option, the CA provider chooses your certificate's private key on your behalf and send it to you along with its passphrase (if there is any) when your certificate is signed.

You can opt any of the methods, you can share the article with Godaddy and explain them with the situation.

The Certificate Authority should send you back your signed certificate with all required subordinate certificate (if there is any) to maintain the chain of trust.

The private key and its passphrase downloaded earlier must be used when uploading the certificate. Once you complete the process, you can use the certificate for Captive Portal as well as Web admin console.

Hi Kandarp Desai1 

As you have checked the article, you have referred the second method which is "Use a signed certificate by a trusted CA", it means you can use you any Trusted CA (Certificate Authority).

There are 2 options to get Certificate from Trusted CA.

1. Generate Certificate Signing Request (CSR) from the XG Firewall and send it to a Certificate Authority provider such as Verisign or Go daddy to sign it for you. The main benefit from this option is the customer chooses his certificate's private key (Not the CA provider). The private key has to be stored securely and never divulged.  
2. Ask the Certificate Authority provider to generate a CSR and sign it for you. With this option, the CA provider chooses your certificate's private key on your behalf and send it to you along with its passphrase (if there is any) when your certificate is signed.

You can opt any of the methods, you can share the article with Godaddy and explain them with the situation.

The Certificate Authority should send you back your signed certificate with all required subordinate certificate (if there is any) to maintain the chain of trust.

The private key and its passphrase downloaded earlier must be used when uploading the certificate. Once you complete the process, you can use the certificate for Captive Portal as well as Web admin console.

Just to be sure, you are not talking about the SSL Inspection feature.

https://community.sophos.com/kb/en-us/132997

Hi Keyur and Lucar , I am referring to this article as well ( https://community.sophos.com/kb/en-us/132058)

The steps involved would be as follows ( please correct if wrong ) 

- Change the hostname of the Sophos XG firewall to an FQDN

-Use this FQDN to get a certificate from a trusted root authority

- Upload this certificate to the Sophos XG firewall to replace Appliance Certificate

- Now I configure one DNS host entry that will resolve the FQDN:8090 to the internal IP

- Captive portal now opens without any Certificate errors .

Am i missing any steps ? Is this correct ?

You need to look up the difference between a FQDN and a Hostname. 

https://serverfault.com/questions/269838/what-is-the-difference-between-a-hostname-and-a-fully-qualified-domain-name

Basically XG should be only a hostname. 

For example "XG". 

Your Domain is "domain.com". 

The FQDN would be xg.domain.com. 

Your Certificate would be for xg.domain.com. 

Your DNS would have a record for xg to your local IP Address. 

Thanks Lucar,

That cleared a lot of things up. My main aim to do all these above things (going with Trusted CA) , is to avoid uploading of this certificate to each browser on each host ( there are a LOT of  systems in the premises) :) !!!