V18.5.1 appears to have a bug in CA generation

Question

Hi folks, 
 recently my local CA expired and is now causing me grief on all my Apple devices using MAC mail. 
 The errors vary from not suitable for pinning to the site you are connecting to is unsafe or not recognised. The errors are affecting both SMTPS and Imaps. For the moment while I try to resolve the issue I have disabled smtps scanning. 
 I have tried to generate a new CA on the XG with a 12 month life similar to the one that expired except the export process does not work and the exported car is not recognised. I have tried renaming the CER, modified it settings but the same error persists. Also Iwhen exporting I see the encoded certificate displayed which all seems wrong to me. 
 The export message is 
 
 The exported file 
 
 The result is I cannot generate a local CA of any use. 
 Ian

LuCar Toni · Accepted Answer

Actually this should not the be case. The Firewall should offer a Cert, which meets the requirements of a Apple device. 
 The trick is: 
 https://support.apple.com/en-us/HT210176 
 Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines: 
 The certificate of SFOS is issued for 01.08.2015, hence not required to be only 3 years expiration. 
 Try the Sophos SSL CA, you find in CAs, import it and use the same for IMAP/SMTPs. 
 The firewall itself will generate a certificate for each and every connection with this CA. This certificate is used for the connection and needs to meet the standards of 3 years expiration, but we are doing this per connection as well, but the CA does not require this.

V18.5.1 appears to have a bug in CA generation

Top Replies