Declare Sophos XG to be default CA

Question

Hi *, 
 I dived deeply in the last few days to understand Certification Authorities integrated into Sophos XG. Therefor I successfully set up the Sophos XG to act as my main CA to access WebAdmin by importing the "Default" .der into my trusted roots certificates for my clients. This is why I am able to use SSL-inspection as well! 
 To avoid importing multiple trusted root certificates I was wondering if my XG firewall can act as CA for other devices in my network (e.g. for my Synology NAS). In theory I mean this: 
 
 Generate a self-signed certificate on my XG for "mysynologydevice.mydomain.com" signed by the "Default CA" of XG 
 Import the needed files into Synology 
 restart Webservices on Synology 
 access mysynologydevice.mydomain.com via webbrowser having a trusted connection, while the imported certificate is signed by XG's CA which was imported in the first place

I tried to do these steps on my Synology, but encountered issues with the files, that need to be imported (invalid private key). Is it even possible to sign certificates by Sophos XG CA for other devices? 
 
 best regards!

Michael Dunn · Accepted Answer

The quick answer is that the XG cannot be used to create certificates used by other devices. But you can have certificates used by other devices, and also have the XG both going up to the same CA that you trust. First, you may want to read this for general info: https://community.sophos.com/products/xg-firewall/f/recommended-reads/121482/https-decrypt-and-scan-faq You are also getting into a bit of PKI, you may want to read up on how that works. One thing is that you don't do anything directly with your root CA, you use intermediate CAs. The XG has an intermediate CA it uses for HTTPS scanning. Other intermediate CAs are used for other things, like signing your NAS. If you are using a lot of Microsoft stuff, look at "Active Directory Certificate Services". 
 However as general concepts, here is what I would do. Create your own root CA manually (eg with openssl or Microsoft AD). Use it to create two intermediate CAs. One will be your HTTPS scanning CA, the other for other internal certificates that you want to create. 
 On the XG, you import the root CA (without the private key). Then import the intermediate CA (with private key). You can then use the intermediate CA as your signing CA for web traffic. 
 Using the second intermediate CA, create a certificate. Install the certificate and private key onto your NAS and restart it. 
 On your clients, trust your root CA. If you clients go to your NAS directly they get a certificate signed by your intermediate, signed by your root (which they trust). If you clients do normal web browsing over the XG they get a certificate signed by your other intermediate (acting as a signing CA), signed by your root (which they trust). The XG will also naturally trust the NAS because it is signed by something that goes up to a CA that is trusted.

lki · Answer

Hi folks, 
 I dived a bit deeper into PKI (feels like I am still scratching on the surface)... Fact is: I am able to use the XG firewall as my CA for my network devices! 
 Basic Setup of CA on XG 
 
 Login on your XG and hop over to SYSTEM - Certificates - Certificates authorities 
 Hit the edit button of the Default CA and make sure all fields are filled with legal information 
 After these settings you hit Save and Download the CA files to your client(s) and import the certificate into your trusted root certificates. 
 
 Sign a new certificate for XG appliance 
 
 Head over to SYSTEM - Certificates - Certificates 
 By hitting Add you can generate a self-signed certificate. This certificate will be used as the user-certificate for the XG appliance. For the certificate you want to set up
 
 a friendly name 
 valid period 
 algorithm for the key and hash 
 optional: (strong) key encryption value 
 for the certificate id you can either chose the LAN ip address of the xg, but you rather want to have a dns entry for it ( mylovelyxgfirewall.domain.com )

Further on the Identification attributes should be the same as in the Default CA fields, if not you may enter same content in here. 
 After hitting Save a new certificate signed by the Default CA of XG is available for usage.

Set new certificate for XG appliance 
 
 Go to SYSTEM - Administration - Admin settings and choose the recently self-signed certificate. Hint: If you set the certificate id to an ip address you may redirect users to the first internal interface, the IP of the LAN interface! If you set a DNS like mylovelyxgfirewall.domain.com you may choose Use a different hostname and set it to your DNS entry ( mylovelyxgfirewall.domain.com ). 
 
 Set static DNS-entry 
 If we set the redirection to a specific hostname we have to make sure, that the hostname is related to our XG's ip address! We should follow these steps: 
 
 Navigate to CONFIGURE - Network - DNS 
 Scroll down to DNS host entry and hit Add to declare a static dns entry related to the interface ip 
 After that you may update your clients ip lease and/or DNS cache. A fine test is to ping or dns lookup the hostname ( mylovelyxgfirewall.domain.com ). 
 
 Notice: You can sign certificates for a hostname like anothernetworkdevice which is not a FQDN, but there will be issues by accessing a non-fqdn hostname from Windows-clients. You must at least use fqdns like *.local! 
 
 Sign certificates for third-party applications 
 Now that clients imported the Default CA from Sophos and trust all certs signed by this CA you may want to generate more certificates for (internal) devices. 
 
 Simply generate another self-signed certificate for your device (where the id is based on dns or ip) 
 Download the self-signed certificate 
 Import the necessary files to your (local) device, like a NAS or different router. 
 If necessary set another dns entry on the XG for this device 
 When accessing this device by a client who already trusts the Default CA by your Sophos XG your client will trust the connection to the device.

Notice! 
 Notice that this is still not viable for all business case since you may want to have a seperate machine as CA or an official CA to sign certificates for your applications and appliances in the network like webservers and so on! For smaller networks having an XG acting as DHCP, DNS and even SSL-Inspection it feels smart to use the Default CA by your XG to sign these certificates for any (internal) network device or application in the network.