Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL certificate is not selectable for admin console and end-user interaction

Hi all,

I do have a problem installing/using a signed ssl cert for securing http access to the admin panel and user interface.

What I did:

  • I created a csr in Sophos XG (18.0.5)
  • I used the csr to order an offically signed ssl cert
  • after verification via dns I got the certs
  • I upload the intermediate and root cert
  • I then uploaded the hosts cert
    • via .pem
    • no passphrase
    • no key file

The cert-file is shown with a green hook.

I double check the certs signing path (->intermediate and root cert) they do exist and are valid. So there is valid key chain.

However the hosts cert is not selectable to be used for ssl encryption for the admin interface. The dropdown just won't show the certificate. (Same with VPN settings.)

Is there any way how to check, what is wrong and why the cert is not showing up?

Thanks a lot in advance.

Regards

 Chris



This thread was automatically locked due to age.
Parents
  • This is the log output, when I upload the cert:

    SFVH_SO01_SFOS 18.0.5 MR-5-Build586# tail -f /log/*.log | grep -i certificate
    Jul 02 17:22:55 upload_certificate called
    Jul 02 17:22:55 getting certificate cert_FastSSL_2021_3y id and value
    2021-07-02 17:22:56 26[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    [Fri Jul 02 17:20:59.072223 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:20:59.144865 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:22:57.072711 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Fri Jul 02 17:22:57.144829 2021] [ssl:warn] [pid 9734:tid 4150517824] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    2018-10-27 18:18:25 INFO Prune.pm[15014]:28 SFOS::HBtrust::Prune::prune - /conf/sysfiles/heartbeatd/certificate_store.db has been removed
    2018-10-27 18:18:25 ERROR CertificateHandler.cpp[6318]:81 updateFingerprints - Can't open database: unable to open database file
    WARNING: Skipping expired Certificate Sigen_CA.pem
    WARNING: Skipping duplicate certificate AAACertificateServices.pem
    WARNING: Skipping expired Certificate Thawte_Timestamping_CA.pem
    WARNING: Skipping expired Certificate Sigov_CA.pem
    WARNING: Skipping expired Certificate Netrust_CA1.pem
    WARNING: Skipping expired Certificate Microsoft_Root_Certificate_Authority.pem
    WARNING: Skipping expired Certificate Sonera_Class_2_Root_CA.pem
    WARNING: Skipping expired Certificate Comodo Add Trust External CA Root.pem
    WARNING: Skipping expired Certificate QuoVadis_Root_CA.pem
              'client_key_file' => '/conf/certificate/private/cbaum%40int.chrolya.de_15FE62071E2.key',
              'client_cert_file' => '/conf/certificate/cbaum%40int.chrolya.de_15FE62071E2.pem',
    2021-07-02 17:22:56 26[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2021-07-02 16:22:55,360:INFO:CSC - Keys in json: ["hextimestamp", "___serverport", "certformat", "certfile", "___component", "type", "transactionid", "certop", "uploadcertname", "currentlyloggedinuserid", "___serverprotocol", "certificatename", "isdefault", "___username", "___meta", "___serverip", "currentlyloggedinuserip"]
    ********** Entity json validation log End FOR :2-7-2021  17:22:55 Objectname=system::certificate
    ==> /log/vpncertificate.log <==
    CA id for ApplianceCertificate.pem is :1
    caid for certificate Test is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cerberus_FastSSL_2021_3y is :27
    caid for certificate cert_FastSSL_2021_3y is :27
    caid for certificate cert_FastSSL_2021_3y is :27
    

  • Hi : Thanks for reaching out to the Sophos community team and sharing the detailed information on the steps taken.

    During uploading the cert file as per your action you have not uploaded the key file and due to that XG is unable to decrypt or read the cert file and you are not able to get the same certificate in the drop-down list under the admin console and end-user section.

    In order to fix the issue please import the certificate along with the private key file.

    OR 

    You may request PKCS12 (.pfx or .p12) cert file ( Which already Stores the private key with the public key) and import the PKCS12 format cert directly on XG.

Reply
  • Hi : Thanks for reaching out to the Sophos community team and sharing the detailed information on the steps taken.

    During uploading the cert file as per your action you have not uploaded the key file and due to that XG is unable to decrypt or read the cert file and you are not able to get the same certificate in the drop-down list under the admin console and end-user section.

    In order to fix the issue please import the certificate along with the private key file.

    OR 

    You may request PKCS12 (.pfx or .p12) cert file ( Which already Stores the private key with the public key) and import the PKCS12 format cert directly on XG.

Children