Adding a SSL Certificate (e.g. for the User Portal) does not work.

Hi Markus Schneider,

Thank you for reaching out to Sophos Community.

Did you try to import 'Sectigo RSA Domain Validation Secure Server CA' under certificate authorities?

Knowledge: How to Download & Install Sectigo Intermediate Certificates - RSA

No i did not. Is this part of the usual process to create a CSR for a SSL Certificate and to import the PEM File/Certificate to the XG?

I just installed that "Sectigo RSA CERT" and now my SSL Certificate seems to be valid. 



How comes?

Now i got another Problem.... ;)

How can i add this Certificate to the Admin- and User Portal?

Yes, you can generate CSR on XG and can provide it to any 3rd party CA to get the user certificate. Once you import the user certificate on XG, the certificate will be signed/trusted by the CA(default CA list or 3rd party CA imported).

I'd suggest to redo the process once.

Generate CSR > get the user certificate from Comodo > Import 'Sectigo RSA Domain Validation Secure Server CA' and at last import user certificate(PEM) received from comodo on CSR

Thanks for your help!

I did the process again... The Certificate is visible under certificates and seems to be activated.

But still its not possible to choose this certificate for the Admin and User Portal:

Just the "ApplianceCertifcate" appears...

You are missing the privat key, isnt it? Did you get a private key? without private key, the appliance cannot "use" the certificate for own usage. 

Yes i dont have a private Key. Where do i find/get the private Key?

I read that if i create the CSR on the XG, that i dont need to import the private Key?

The CSR will generate a cert with private key. You should get this from your CA. If not, you will not have the the option to use the certificate at all. 

certs without private key are to validate the certificate, not to use them. 

I generated the CSR in the XG so the XG should be my CA, isnt it? Where do i find the private Key in the CA of the XG or get the key from the XG?

Or what is the easiest way to get a SSL Certificate for the Admin/User Portal?

Hi. According to the manual you should have had the possibility to download the private.key, after you created the CSR.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificateSigningRequestGenerate.html

> Download the CSR using the download button.

> The download button is highlighted below.

This changed after V18.0 MR5 due compliance issues. 

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

Certificate signing requests (CSRs) and certificates

• Streamlined forms and multiple SANs: Updated the forms for creating CSRs and certificates to allow more flexibility in adding Subject Alternative Names using DNS names and IP addresses, and removed unnecessary inputs.
• Security enhancements: Addressed security concerns by preventing the download of private key material for CSRs and locally-signed certificates.
• Upload, download, import: Provided new dialog boxes to allow CSR retrieval, and certificate upload for signing certificates (CAs) and leaf certificates. The boxes allow you to copy-paste PEM format certificates in addition to the DER, PKCS and PEM file transfer.
• Locally-signed certificates: Self-signed certificates have been renamed locally-signed certificates.
• Download format: CSRs and certificates can be downloaded as .csr and .crt files, respectively. They can't be downloaded as tar.gz files any longer.
• Certificate with CA: Provided the option to add the certificate's CA to the CA list, using the same name when importing certificates with CA.
• Workflow: Improvements to workflows and lists to make certificate management more intuitive.

This changed after V18.0 MR5 due compliance issues. 

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

Certificate signing requests (CSRs) and certificates

• Streamlined forms and multiple SANs: Updated the forms for creating CSRs and certificates to allow more flexibility in adding Subject Alternative Names using DNS names and IP addresses, and removed unnecessary inputs.
• Security enhancements: Addressed security concerns by preventing the download of private key material for CSRs and locally-signed certificates.
• Upload, download, import: Provided new dialog boxes to allow CSR retrieval, and certificate upload for signing certificates (CAs) and leaf certificates. The boxes allow you to copy-paste PEM format certificates in addition to the DER, PKCS and PEM file transfer.
• Locally-signed certificates: Self-signed certificates have been renamed locally-signed certificates.
• Download format: CSRs and certificates can be downloaded as .csr and .crt files, respectively. They can't be downloaded as tar.gz files any longer.
• Certificate with CA: Provided the option to add the certificate's CA to the CA list, using the same name when importing certificates with CA.
• Workflow: Improvements to workflows and lists to make certificate management more intuitive.

Thanks Luca. But how the customer is now getting the private key in order to use it on another server?

You do not need a private key for a CSR. CAs can generate all information with the CSR provided by the XG. There is no need to export the private key on this step. 

https://www.globalsign.com/en/blog/what-is-a-certificate-signing-request-csr

Yes, but with the CSR, you get the privat key of the certificate, which you get from your CA.
And then, you want to use this certificate on your internal server, you need the certificate from the CA and the corresponding private key file you generated on CSR creation - right?