Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 541 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XGS Latest firmware - Outdated Certificates

tomrgsd

We just recently upgraded from an XG to XGS firewall and having random issues with certificates. I've had to manually add updated ROOT and Intermediate CA certificates for Digicert and a Top Level DOD certificate among others. I have never had any issues on the previous device with certificates, but downloading the latest certificates and manually adding them to the authorities pages, worked. I knew the issue had to be on the XGS because the sites presented no issue outside of our network and I could see the whole trusted chain. The XGS or maybe it is the latest firmware now presents a self-issued untrusted cert and therefore I cannot see the chain to troubleshoot inside the network. How do the ROOT CAs get updated on the system? Should a firmware update contain updated ROOT CAs? I don't want to have to keep manually adding these as issues pop up because the system has outdated ROOT authorities. I have attached a screenshot of the Authorities, I had to upload to fix the issues. Notice the DOD certificates.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vivek Jagad

    I verified all is correct. Please note that this is not happening on most of the sites. Just a few that have popped up. I would expect that if the default cert was the issue, it would be everything having an issue.

  • 0 in reply to tomrgsd

    In that scenario you may delete the certcache for that website and then access it again. 
    You may find under the following directory:  cd /var/certcache/

    For example if it is google: 
    I would type the following command: ls -lah /var/certcache/ | grep google

    And then you may delete those with the command "rm"

    Access the sites again and see if that helps !!

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Again, adding the updated root and intermediates for the domains in question fixed the issue for those sites. Not all are having the issue, just a select few. If it was a cert cache issue, then why would adding the updated ROOT CAs to the system fix the issue?

Unfiltered HTML