Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 2281 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When downlaoding the XG applicance cert it's in .PEM format.

Cameron Barlow

If I want IOS users to install this cert then it's compatible. 

How do you distribute this to staff who use their personal phones onsite for email access etc.  I presume this .PEM will need converting?

Please advise.

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    rename the file to .cer and then its easier to install for end users, on Windows you can right click then install .cer files.  For IOS i think your going to have to convert to a pfx file, which you can do via an online tool like at https://www.sslshopper.com/ssl-converter.html I dont have an Iphone personally but to start with its worth trying to open the .cer file on an iphone first to see if it is sufficient, if its not then you will need to create a pfx file.  I think the .cer certificate will be sufficient but there looks to be an additional step required: -

    https://community.sophos.com/kb/en-us/126895

    I personally I dont use HTTPS decrypt and scan for WiFi clients simply because of this issue, you can use Sophos Central mobile or something like Microsoft Intune to deploy your certificates for you but it does require the BYOD devices to be enrolled first.  All i did was create a seperate Firewall rule for WiFi devices without HTTPS decrypt and scan enabled.

    JK

Reply
  • 0

    rename the file to .cer and then its easier to install for end users, on Windows you can right click then install .cer files.  For IOS i think your going to have to convert to a pfx file, which you can do via an online tool like at https://www.sslshopper.com/ssl-converter.html I dont have an Iphone personally but to start with its worth trying to open the .cer file on an iphone first to see if it is sufficient, if its not then you will need to create a pfx file.  I think the .cer certificate will be sufficient but there looks to be an additional step required: -

    https://community.sophos.com/kb/en-us/126895

    I personally I dont use HTTPS decrypt and scan for WiFi clients simply because of this issue, you can use Sophos Central mobile or something like Microsoft Intune to deploy your certificates for you but it does require the BYOD devices to be enrolled first.  All i did was create a seperate Firewall rule for WiFi devices without HTTPS decrypt and scan enabled.

    JK

Children
  • 0 in reply to john_kenny

    Hi,

     I renamed the certificate to p12 and sent it to myself. Double-clicked on the iPhone mail message and the certificate asked to be installed.

    Ian

  • 0 in reply to rfcat_vk

    rfcat_vk said:

    Hi,

     I renamed the certificate to p12 and sent it to myself. Double-clicked on the iPhone mail message and the certificate asked to be installed.

    Ian

     

     

    Just tried this but the iPhone says this file is not supported.  :(

  • 0 in reply to Cameron Barlow

    What version of iOS are you running?

    I just tried it again and was advised to review my profile if I want to install the certificate.

    I downloaded a new pen from the XG, changed the name to .p12 and sent it to my self. Double clicked on the iPhone and was asked to review the profile if I wish to install it. So now I have two copies of the XG SecurityAppliance_SSL_CAinstalled.

    Ian

  • 0 in reply to rfcat_vk

    Did you try that article about the cert store trust on IOS??  As the PEM should be enough for IOS to HTTPS Decrypt and scan too but it sounds as if you have to perform that extra step first to get it to work on IOS, this gives you an idea of why i ended up opting for creating a seperate firewall rule with HTTPS D&S disabled for my Wifi Clients.  If i had to have it running id use one of my mobile device management tools to install the certs and then simply enrol devices via an email.  It seems like it might be the simpler answer for IOS in this situation to use MDM.  I have Sophos Central Mobile licence myself but honestly i dont use it as i was already using MS Intune for MDM to start with and i haven't had the time to teach myself Sophos's MDM yet.  With Intune ive deployed Certs before and its quite easy to do so its the End user part again that is the hard part.

    JK

  • 0 in reply to LuCar Toni

    Interesting i didnt realise Apple had even changed the Certificate requirements, I dont generally need to support many IOS / apple devices personally so its never come up.  Im assuming this new requirement only stops the adding of installed certificates to the trusted store rather than installing them full stop or do I have that wrong (This wouldn't make much difference in this case though its just out of curiosity I ask about this last point)??  Sounds like this might be the issue here then at least until MR9.......