Hello
I'm wondering how Sophos XG validates the certificate chain (web surfing ssl inspection). We use web policies with "block invalid certificates" on a new installed sophos XG for a customer. Normally, we don't see a lot of blocked websites due to invalid certificates or untrusted CAs.
but on that firewall, we had some issues in the last days.
Scenario: browsing a website was not possible due to "SSL error: unable to get local issuer certificate"
when we import the intermediate issuer CA cert to trusted CA list, it works. The root CA was already in the list. In my understanding it should already work if the Root CA is in the list without adding all intermediate issuer CAs to this list. But in that case it didn't work.
Question:
1. does sophos trust any intermediate CAs signed by a root ca if this root ca is in the list of trusted Certificate Authorities?
2. is there an update mechanism for the trusted CA list on sophos XG firewalls or is it a manual task to update the list (I know, its a controverse topic to update a trusted CA list automatically)
thanks
Michael
This thread was automatically locked due to age.
