Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 2992 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Renew SSL certificate for email on XG Firewall

Paul Digby

So, 2 years ago a goDaddy SSL cert was added to XG and been used since that date.

It is now renewed with goDaddy and downloaded. I tried replacing existing one with new one, but it said a rule/policy was already using it. So I then added the certificate as new and it appears in the list with the one from 2 years ago.

However, when I go to the SMTP TLS section and click on drop down list to replace the current one with the new one, it does not show up in the list. There is

The Original one, Default, the XG cert and one other. But not the one I have added


Did I miss a step to get the new added one appearing in the lst?



This thread was automatically locked due to age.
Parents
  • 0

    How did you replace / upload the new one? It needs to have the private key. Or did you do a CSR? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    When it was done first 2 years ago, I selected the .pem file and the .key file entered the password and the SSL upladed to the XG. Then within the configurartion of MTA Email TLS section I was able the select the named SSL cert


    Now that there is a new one (old one expires in 2 weeks), I tried to load the new cert to existing, but it said a rule was using it (Email TLS section). So, I then uploaded the new one with a new name. I selected the .pem and entered the password and it uploaded successfully. The .key files was not needed as i have read that the .key will already be uploaded to the XG


    Hope this helps

  • 0 in reply to Paul Digby

    Likely you uploaded simply a PEM without Private Key. Why should the Key be present? Can you use CSR with GoDaddy? This should be much easier. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    When I used the .key file, it said unrecognised format. Yet using the same .key file with the original .pem giving it a new name, it uploaded alright. Of course, that is just a duplicate of the one that will expire in 13 days.

    So, 2 years after the first cert was provided by goDaddy a new one is available to use and goDaddy provided just the .pem file. So, how should i use this .pem file to get it to upload to XG and be selectable to use?

    Many thanks

  • 0 in reply to Paul Digby

    That is odd, i mean. They provide you a PEM and no Key. This means, the assume, you have the old Key? 

    I would expect a CSR. Can you check, they expect you to do a CSR. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That is correct, there are actually 2 files a .pem file and a .crt file named the same

  • 0 in reply to Paul Digby

    You should do a CSR. docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

Reply Children
  • 0 in reply to LuCar Toni

    I am looking at the CSR route and when I create the CSR and click on download, it only provides an option to download csr. In the documentation it says there sould be 3 files, csr, key + txt

  • 0 in reply to Paul Digby

    This process was changed. It only provides a CSR. Then you get the signed pem and upload it to the firewall. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So what about the .key file and using the passphrase?

    I am doing this on an XG105 v17.6.16 MR16

  • 0 in reply to Paul Digby

    So, for the certificate to appear in Email, General, SMTP TLS Configuration, TLS Certificate drop down, the certificate has to be added with the .key file.

    As advised earlier, I do have the .key file and password.txt file from the certificate was added 2 years ago. Yest the orginal .key and passphrase does not work with new certificate (.pem). I have also checked as a test with the prginal certifcate using the .key file and password I have and it adds no problem. So I know the .key file and password are valid.

  • 0 in reply to LuCar Toni

    Yes, I can do that on the XG, but it does not generate a .key file only the .csr. As I understand it, without the .key file, one can not upload successfully to XG and then be seen to be able to select in Email section.

  • 0 in reply to Paul Digby

    So the answer is:-

    The XG only generates a csr file now. Whereas in previous version it produced three files! Also, you can no longer use a previous private.key.

    For me, I am lucky to use goDaddy for SSL Certificate. What I now need to do is, cancel and get a refund on the new cert that was auto renewed and generated and purchase a new standard SSL and part of their process now is to provide the three files required.

    Hope this helps others.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?