Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 3 answers
  • Subscribers 26 subscribers
  • Views 2246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

3rd party SSL Certificate on SOPHOS XG

Madni Malik

hi,
i have XG210 (SFOS 18.5.1 MR-1-Build326), i uploaded a godady certificate on it. i also uploaded the CA and intermediate CA certificate on it. in certificates against this certificate trusted is green tick. but when i want to use it for we administration, i go to administration-->admin and user settings-->under certificate it is only showing Appliance certificate, it is not showing me that
uploaded third party certificate. neither i can see it under SSL VPN settings. please guide how can i use that certificate on this firewall.
it is a SAN certificate, i have not created CSR on firewall. i created CSR on Microsoft machine and add multiple names in it. on that
machine it is working perfect but on firewall i am not able to use it. please guide.

can i also use this certificate for HTTPS inspection too.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Malik, Thanks for reaching out to Sophos Community.

    If the certificate is valid, but not appearing in the drop-down menu for web-admin certificate or isn't available to select for WAF or SSL VPN, usually has to do with the private key. This happens due to an invalid private key or the absence of a private key.

    Private-key is generated along with the CSR. If the CSR was generated on a Microsoft Machine then it should have the private key as well. Import the certificate with a private key once again if you haven't.

    Madni Malik said:
    can i also use this certificate for HTTPS inspection too.

    No, you can't use an End Entity certificate for HTTPS inspection. You’ll need a CA certificate with a Private key for the HTTPS inspection. Because firewall acts as a Proxy that leases certificates to end clients on behalf of requested web servers and to lease these certificates, You'll need CA on Firewall. By default, it uses Appliance_SSL_CA certificate.

    However, If you have any private CA (CA on Windows Server) You can import its certificate with Privet Key to use for HTTPS Inspection.

    Check out HTTPS decrypt and scan FAQ

    Thanks,

  • 0 in reply to FormerMember

    i created CSR on Microsoft server. got a certificate from Digicert . and upload that certificate on firewall. i did not provide them priivate key at the time of upload. it is uploaded successfully but not able to see in adminintration nor in SSL VPN.

  • FormerMember
    0 FormerMember in reply to Madni Malik

    You don't need to provide the Private key to DigiCert. You need to upload the Private key to XG along with the certificate in order to use the Certificate for WebGUI.

    Certificate validation (the green tick) indicates that the entire certificate chain is available on the firewall hence it's valid.

  • 0 in reply to FormerMember

    green tick is shwoing. but i am not able to see that certificate in SSL VPN and administration.. please help

  • FormerMember
    0 FormerMember in reply to Madni Malik

    As said before, You will need to import the certificate with the private key to use it for WebGUI or SSL VPN. If you have the Private key, Try to upload the certificate with private key.

  • 0 in reply to FormerMember

    can you please guide me how to extract private key from the certificate that i recevied from 3rd party like Digicert?

  • FormerMember
    0 FormerMember in reply to Madni Malik

    The green tick only indicates that the certificate is valid and the chain is complete. Private key is generated along with the CSR. Signing CA is not responsible to provide you with that private key. Check where you've generated the CSR

  • 0 in reply to FormerMember

    i have created CSR on Microsoft Exchange server. 

  • FormerMember
    0 FormerMember in reply to Madni Malik

    Then please check on the Microsoft Exchange server for the Private key. Once found, update the certificate or upload it as a new one.

Reply Children
No Data