Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 962 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG HTTPS Scanning Certificates

Michael Ives

Hi,

I have configured HTTPS decryption and scanning but when I look at the certificate on a website it shows short validity periods, roughly 3 months. Is this normal?

To clarify, the certificate shown is the one issued by the firewall, but it's only showing as valid for roughly 3 months in the browser, but many years when looking at it under MMC on the client PCs.

Kind regards, Mike



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Can you share the screenshots of the certificate that you see on the browser and the client? 

    Thanks, 

  • 0 in reply to FormerMember

    Hi ,

    Thanks for coming back to me.

    I have attached 4 screenshots, one of which shows the SSL_CA from my XG appliance that has been trusted by my macbook, and the other 3 as below (issued by SSL_CA from appliance):

       - expiring 9 March 2021

       - expiring 19 March 2021

       - expiring 12 February 2021

    I have double checked another couple of client devices and they get the same. Is this normal or have I configured something wrong? This is my first Sophos XG device, and it's not in production yet, so there is time to get it right (phew).

    Kind regards,

    Michael

  • 0 in reply to Michael Ives

    Thats fine.

    Because of restriction of Google, XG has to create a very short valid certificate and caches them. 

    See: https://support.apple.com/en-us/HT211025

  • 0 in reply to LuCar Toni

    Hi ,

    I'm seeing this issue on Windows 10 PCs too. The certificates shown in Chrome have the exact same expiry date. Is that to be expected? Will the Sophos XG appliance then reissue/re-sign after the expiry date shown?

    Kind regards

    Michael

  • +1 in reply to Michael Ives

    XG uses the CA, which you deployed to the Clients, to generate a Certificate. This certificate will be short, to cover the requirements by Apple. XG does not create a new Certificate per OS, instead using the same certificate across all clients. 

    Before this Cert expires, XG uses the CA to create a new cert for your page. As far as i can remember, also a reboot will clear the certificate cache. 

    Overall, it should not cause any issue at all. You need to re deploy on 2036. 

  • 0 in reply to LuCar Toni

    Thanks .

    I did do a reboot but it didn't clear the cache, and I can't see anything in /var/certcache either, but if the certificate validity is changing for different websites then it must be working. Hopefully it will renew on 9 March, otherwise I'll have some upset users lol

    Thanks for your help, much appreciated!