Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 3649 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with Appliance Cert (Change to a new one)

AndréAegerter

hi all

Target. a new SAN certificate for the appliance with the same FQDN name as now.

Means I have to delete the current certificate (first change to a different, locally stored certificate) and only then can I upload the new one, I understand. If I want to delete the certificate, the message appears that this is not possible because it is still in use either with IPsec, with L2TP or with SSL connections.

Only, I unfortunately do not find any settings under the item Configure / VPN, where I find the certificate, which I want to delete and apparently there should apparently switch to another one before I can delete it?

As long as the old appliance certificate with the same FQDN name is still available on the firewall, I will not be able to load a new SAN certificate with the same FQDN name on the XG Firewall. How do I do it?

With the Sophos UTM, this is much easier and better solved when it comes to, e.g. Delete or replace certificates. The Sophos UTM shows you exactly where what is still in use.

Here at the Sophos XG? yes, where, how, what?
I changed the appliance certificate, which was previously configured for web interface access, in the configuration.

Under System / Administration / Admin Settings / Admin console and end-user interaction, point certificate, I switched to another certificate, in the hope that I would then save the certificate for the appliance that was to be replaced by then (SSL access to the web console ) can easily delete.

But far from it, the XG complains and says that this is still in use, but where then, dear world?

 

cheers
André



This thread was automatically locked due to age.
  • 0

    Actually you can upload the exact same certificate, but the "XG name" (Object name") has to be different. You do not have to replace the current certificate. 

    I am doing exactly this in my XG for long time with lets encrpyt. The Hostname is everytime the same but i place a date beside the Hostname object name and can upload it.

    Then i replace the certificate as needed. 

     

    PS: Did you check:

    Wireless / Hotspot

    Email General Settings

    WAF Firewall Rules? 

  • 0 in reply to LuCar Toni

    Ciao LuCar Toni

    No, i'm not check all your listet points (still coming) :-)
    Now, i have another Probelm. Only Troubles with Certificates on Sophos XG, what's happening? *grrr*

    I converted the .pfx file to .pem Format (Cert with private key included) and in this way, i was able to upload my Subordinate Cert - generated from a Subordinate Template on my Intermediate  Windows Server 2016.

    Upload under System/ Certificates/ Certificate authorities was successful in this way, as mentioned, But: You don't believe it, under Poin Protect/ Web/ General Settings/ HTTPS decryption and scanning: Here, you can select this one here => HTTPS scanning certificate authority (CA). you can guess: could I choose my Sub CA Cert here or not? of course not, why not?

    Then, the the the next disappointment. I thought to myself, ok, then I choose a completely different path. Thought ok, this link is the solution https://community.sophos.com/kb/en-us/127885

    But: You don't believe it - again a Problem. For tha, you must able to generate a CSR directly from Sophos XG (look the Link, you can show the pictures). I'm not able to select this Point here => Generate certificate signing request (CSR). What the hell, sorry my language :) This is really crazy or not? 

    And: not enough, this message here too => All admin and local user accounts must reset their passwords per KBA135412Click here to access the User page.
    Oooook, whats going on? yes, i have already changed my passwords on Sophos XG (local Admin). The other User is Active Directory integrated, so, i changed on my Domain Controller - finish.

    Maybe, the best way is to delete my Virtual Machine Sophos XG. then, load the newest version from Sophos Online Portal, restore my last configuration and then, i hope so, i have a clean Sophos XG with all function, and able to configure all everything that doesn't work now?! :-) 

    What do you think, better solutions?

  • 0 in reply to AndréAegerter

    If you check the PEM; you uploaded, does it include a privat key and a public key in the file? If you cannot select it as HTTPS Scanning, it indicate, this certificate is missing the privat key. 

    And what do you mean, you cannot Select CSR on XG? Can you show a screenshot of this point? Is your appliance registered or did you skip the Registration? 

  • 0 in reply to LuCar Toni

    The goal is, https scanning. 

    The goal is https scan, so far it has worked without problems.
    What is the problem? Since using Google Chromium: i open my Browser (Edge Chromium) and connect to the admistration Site from my Sophos XG over https://utm.domain.ch and the following error message appears: NET::ERR_CERT_COMMON_NAME_INVALID. I can also look the pem encoded chain. 

    abbreviated form

    -----BEGIN CERTIFICATE-----
    MIIHSzCCBTOgAwIBAgITHwAAB8zCdSWAEoszowABAAAHzDANBgkqhkiG9w0BAQ0F
    ADBlMRIwEAYKCZImiZPyLGQBGRYCY2gxFzAVBgoJkiaJk/IsZAEZFgdpdC1uZXR4
    MRQwEgYKCZImiZPyLGQBGRYEY29ycDEgMB4GA1UEAxMXSVQtTmV0WCBJbnRlcm1l
    ZGlhdGUgQ0EwHhcNMTkwNzExMjEyNTI0WhcNMjEwNzEwMjEyNTI0WjBuMQswCQYD
    VQQGEwJDSDELMAkGA1UECBMCU08xEDAOBgNVBAcTB1p1Y2h3aWwxFTATBgNVBAoT
    LW5ldHguY2gwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDn7VG9pxwC
    QoK/jn3nBWJsl2aw1op9Uk7tetXJmT0/K9QvNY92nzEGEykZKjEPgiqP5EH/1rWS
    ucMdUiyzGzZcTC1MfBWdlexf..................................
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIG5zCCBJugAwIBAgITNwAAAARDYck9H8JG7gAAAAAABDBBBgkqhkiG9w0BAQow
    NKAPMA0GCWCGSAFlAwQCAwUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUA
    ogMCAUAwGjEYMBYGA1UEAxMPSVQtTmV0WCBSb290IENBMB4XDTE3MDcwNDE3MTEy
    OVoXDTQ3MDcwMTE4MzM1NFowZTESMBAGCgmSJomT8ixkARkWAmNoMRcwFQYKCZIm
    iZPyLGQBGRYHaXQtbmV0eDEUMBIGCgmSJomT8ixkARkWBGNvcnAxIDAeBgNVBAMT
    F0lULU5ldFggSW50ZXJtZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
    fpjJpslMagL8gycGelsZLMjYO+NMpbTlexdJs7gVDnGCpZ5mQKB/XVWYfDN+9oks
    siJjjuatJyWeKzncnELSW64nLj+mN3jUg8be8//XFePYnmUMAACJqOGoJjaePcLa
    y/i+pVUgt1mEodB30/CeFHUNsuJVqduH+kF07GjL9IA/daDR4hQzhjIDNBNcaKHz
    e5mm8in8jiPlEY4ZOwW8ESRiv+1fiMXTa1zP.............................................
    P63Oj6fihnqDO6uwBvHiBHh5x17Sn1sGerV7zpUpNB7rRDTV9BsODCOb6w==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFdzCCAyugAwIBAgIQQqpmXwI32JtPglVcEv/tVDBBBgkqhkiG9w0BAQowNKAP
    MA0GCWCGSAFlAwQCAwUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUAogMC
    AUAwGjEYMBYGA1UEAxMPSVQtTmV0WCBSb290IENBMB4XDTE3MDcwMTE4MjQwNFoX
    DTQ3MDcwMTE4MzM1NFowGjEYMBYGA1UEAxMPSVQtTmV0WCBSb290IENBMIICIjAN
    BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwbDjbIa4Rn2PuNxevZv8eQSXDMKu
    NM7izKgjJnn3H7kpDA2jV2uAdhOUDvdWk7OTsgdNGsFkav3rexBE/lAHEb/rIOKQ
    wsKYtBp0LVPCxuuPBYrLPwZiClfRj+emK1TZUvhoDr12HARQpiwO1qTQ3mezUNzf
    U1DPyYf4kZ9IHx8A0oQ1Kzh9BOCp1DeeUv3ObqB8PhdA3LDYEqhviUtKNzPGln9s
    YJPmjBekvMOm5pzG08Ju0s/P4vf1oDS+57zBpSX9ANuslfSyasqUWHEwqktzr3le
    j1srCm+9GW0A/b7Pzh2sZnTWGfxSrOhCQIDI2xGbhzcBYi6pYn16kJPGQ6n+qudc
    4sNlRQCgvXQCET034UVM6MTeI5L4Gxiy72rcobv/Xaq5hoNZrKIgjeFgqHWMZBKg
    pm/gtRMzUbzAv40AI0pouLznlDOG4eYxQ+8WkZ+6ElC/OgNJ2KJa956Jto7/EkKo
    gUbYJPPEZClGZZA=...........................................................................
    -----END CERTIFICATE-----

     

    what does my infrastructure look like in terms of certificate management? I have a domain, a root certification authority, an intermediate certification authority and so far my Sophos XG Firewall was also a subordinate certification authority, why?

    Because I can block the Sophos XG certificate with my Windows CA infrastructure - for example, if it is compromised.

    I created the certificate for the Sophos XG based on the template Subordinate Certification Authority and under the Sophos XG, i had uploaded the cert under the point Systems / Certificates / Certificate authorities.

    So, my Sophos XG can work as Subordinate CA (e.g. HTTPS scanning) and it is also possible to access the Sophos XG Firewall over HTTPS (Admin Portal).
    But now, I created again as before the certificate for the Sophos XG based on the template Subordinate Certification Authority and as mentioned, I was also able to upload the certificate in the Sophos XG under the item Certificate authorities.

    I had created the certificate signing request on my Windows intermediate certification authority. From this .pfx file I made a .pem file, that was the way up to here.
    Because something seems to be wrong with the certificate, I just wanted to take the path that Sophos Support suggests.

    Have a look at this URL https://community.sophos.com/kb/en-us/127885 you can show the way to go.
    You can see, it is also posible to generate certificate signing request (CSR) directly on the Sophos XG. 

    I would very much like if I could, but the function is, for whatever reason, grayed out on my firewall, why?

    Look my Screenshot, please and tell me why? :-(
    It's not funny, I'm wasting a lot of time. marked in yellow = is grayed out, why?

  • 0 in reply to AndréAegerter

    Is your appliance registered? 

    I did this couple of times, worked everytime. But as your option is greyed out, i am wondering: Is your Appliance registered or not? Or did you skipped the registration?

    Could you share a Screenshot of CA and Certificates (Please high res, as we cannot see anything on your screenshot). 

     

  • 0 in reply to LuCar Toni

    Sophos XG registered?
    I thin so. The section Registration is completed e.g. 

    - SFVH (C010012G6R9VKCC)
    - Company name
    - Contact person
    - Registered email address

     

    Module subscription details              Status              Expiration Date

    - Base firewall                                 Evaluating        Tue 31 Dec 2999
    - etc.

    By the way: I was now able to successfully implement a CA in the Sophos XG, which also e.g. is available or selectable under the item Protect / Web / General Settings and can now again also use the feature HTTPS scanning *smile*.

    Also under the Point System/ Certificates/ Certificates, i was now able to implement the same Cert (i gave the name: appliance cert) for accessing the VM Sophos XG over https (over Browser) to access the Management Site :-)

     

    But two things still don't work:

    • I can't delete the old appliance certificate on the Sophos XG, because it still thinks it's in use and I can't find the location.
      She says: I should look under L2TP, iPSec etc. Yes I have?!
    • Generate the CSR oder Sophos XG, Point: System/ Certificates/ Add/ her you can see the Point: Generate certificate signing request (CSR)
      I have an idea: It can be, because of it that i use the whole certificate chain from my Windows CA Infrastructure, that is importet under Certificate authorities under Sophos XG and now she thinks, why do I want to do a CSR locally on the Sophos XG, I have a CA?

      No, that was fun. No idea

     

    cheers
    André