SFOS V18 breaks the Pocket Guide for using Digital Certificates in IPSEC VPN connections

There were some Certificate handling changes included in the recent MR5. community.sophos.com/.../sophos-xg-firewall-v18-mr5--build-586-is-now-available

Can you verify if indeed certificates are actually downloadable as PEM files? If so do point me to the correct steps.

Hi,

which certificates are you trying to download?

My XG self signed down loads as a CRT, the XG default downloads as a PEM, One other XG CA downloads as a TAR.

Ian

Hello John,

Adding to what has been mentioned.

If you download a Certificate from the Certificates, it’ll download as .crt but it’s encoded with PEM. so you can simply change the extension to .pem

If you Download the Default Certificate from the Certificate Authorities it will download a .tar file that contains a .pem and .der

If you Download the SecurityAppliance_SSL_CA it will be downloaded as a .pem

Regards

Hello John,

Adding to what has been mentioned.

If you download a Certificate from the Certificates, it’ll download as .crt but it’s encoded with PEM. so you can simply change the extension to .pem

If you Download the Default Certificate from the Certificate Authorities it will download a .tar file that contains a .pem and .der

If you Download the SecurityAppliance_SSL_CA it will be downloaded as a .pem

Regards

Ok. Thanks for the clarification. And yes I am downloading self signed certs as per the guide. Do hope Sophos can standardize the behavior to avoid confusion. Also just got an email which basically is telling people XG is coming to an end in a few more years.... Product lifecycle seems to be getting shorter and shorter which I assume ultimately is to boost sales under the guise of providing more performance and security .

they are moving to XGS.

Ian

Yeap can see that. My customers who just migrated from Cyberoam to XG this year are absolutely thrilled to learn their purchase will not have any renewable support after 2023.

I expect you will find the new XGS software will run on some of the older boxes. Not XG 85 or 86 or 105 or 106.

ian

That'd be the absolute last resort provided Sophos officially allows them  to renew subscriptions for those after 2023. Our experience with Cyberoam has taught us it'd be a lot safer not to expect that  though... hence the 'thrill' stemming from this recent memo.