Renew SSL certificate for email on XG Firewall

How did you replace / upload the new one? It needs to have the private key. Or did you do a CSR? 

When it was done first 2 years ago, I selected the .pem file and the .key file entered the password and the SSL upladed to the XG. Then within the configurartion of MTA Email TLS section I was able the select the named SSL cert


Now that there is a new one (old one expires in 2 weeks), I tried to load the new cert to existing, but it said a rule was using it (Email TLS section). So, I then uploaded the new one with a new name. I selected the .pem and entered the password and it uploaded successfully. The .key files was not needed as i have read that the .key will already be uploaded to the XG


Hope this helps

Likely you uploaded simply a PEM without Private Key. Why should the Key be present? Can you use CSR with GoDaddy? This should be much easier. 

When I used the .key file, it said unrecognised format. Yet using the same .key file with the original .pem giving it a new name, it uploaded alright. Of course, that is just a duplicate of the one that will expire in 13 days.

So, 2 years after the first cert was provided by goDaddy a new one is available to use and goDaddy provided just the .pem file. So, how should i use this .pem file to get it to upload to XG and be selectable to use?

Many thanks

When I used the .key file, it said unrecognised format. Yet using the same .key file with the original .pem giving it a new name, it uploaded alright. Of course, that is just a duplicate of the one that will expire in 13 days.

So, 2 years after the first cert was provided by goDaddy a new one is available to use and goDaddy provided just the .pem file. So, how should i use this .pem file to get it to upload to XG and be selectable to use?

Many thanks

That is odd, i mean. They provide you a PEM and no Key. This means, the assume, you have the old Key? 

I would expect a CSR. Can you check, they expect you to do a CSR. 

That is correct, there are actually 2 files a .pem file and a .crt file named the same

You should do a CSR. docs.sophos.com/.../index.html

I am looking at the CSR route and when I create the CSR and click on download, it only provides an option to download csr. In the documentation it says there sould be 3 files, csr, key + txt

This process was changed. It only provides a CSR. Then you get the signed pem and upload it to the firewall. 

So what about the .key file and using the passphrase?

I am doing this on an XG105 v17.6.16 MR16

So, for the certificate to appear in Email, General, SMTP TLS Configuration, TLS Certificate drop down, the certificate has to be added with the .key file.

As advised earlier, I do have the .key file and password.txt file from the certificate was added 2 years ago. Yest the orginal .key and passphrase does not work with new certificate (.pem). I have also checked as a test with the prginal certifcate using the .key file and password I have and it adds no problem. So I know the .key file and password are valid.

Yes, I can do that on the XG, but it does not generate a .key file only the .csr. As I understand it, without the .key file, one can not upload successfully to XG and then be seen to be able to select in Email section.

So the answer is:-

The XG only generates a csr file now. Whereas in previous version it produced three files! Also, you can no longer use a previous private.key.

For me, I am lucky to use goDaddy for SSL Certificate. What I now need to do is, cancel and get a refund on the new cert that was auto renewed and generated and purchase a new standard SSL and part of their process now is to provide the three files required.

Hope this helps others.