ApplianceCertificate incorrect object

Hello Alfanso,

Greetings,

You need to update those information under System -> Certificate -> Certificate Authority -> Default CA. 

Once you change the Default CA, you need to relogin and if you are using the SSL VPN. It will break the connection and you will need to import the configuration. 

hello MayurMakvana,
thanks for answering me, but
I have already done what you suggested but the data remains the same.

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

Hello Alfonso,

Greetings!

If you are referring to the subject line wherein na@example.com is set. I am working on it to find that out and update you!

If you are referring to the issuer field, you may try below:

You may add the CSC service in debugging with the help of the below from the advanced shell:

csc custom debug

Later, collect below logs:

cd /log

tail -f applog.log csc.log

Update the default CA details and review the logs. It may give us clue whether the opcode for the certificate authority regeneration failing or executing successfully!

If opcode fails, better to raise the support ticket to investigate it further.

I ran the commands he sent me, I attach the log

DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: logger: applog                
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_log_to_file: length=38     
INFO      Oct 21 13:04:27Z  [apiInterface:17296]: ACTION: CALL createJson       
INFO      Oct 21 13:04:27Z  [apiInterface:17296]: ACTION: CALL validateJson     
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: logger: applog                
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_log_to_file: length=86     
INFO      Oct 21 13:04:27Z  [apiInterface:17296]: ACTION: CALL handleDeleteReque
st                                                                              
INFO      Oct 21 13:04:27Z  [apiInterface:17296]: ACTION: CALL replyIfErrorAtVal
idation                                                                         
INFO      Oct 21 13:04:27Z  [apiInterface:17296]: ACTION: CALL getOldObject     
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_prep_query: PREPSTMT with A
RGS: select opcode,opcodetype,perlpackagename from tblcrevent where mode=?      
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: get_txid:Transaction ID: 23117
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_prep_query: PREPSTMT: 'sele
ct opcode,opcodetype,perlpackagename from tblcrevent where mode=?'              
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: logger: applog                
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_log_to_file: length=149    
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: execute_action: DYNACODE varia
ble:opcodename                                                                  
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: execute_action: DYNACODE opcod
e:generate_certificate_authority                                                
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_ao: OPCODE generate_certifi
cate_authority                                                                  
DEBUG     Oct 21 13:04:27Z  [apiInterface:17296]: do_ao: OPCODE generate_certifi
cate_authority CONTENT-TYPE:json, BODY_LEN:747                                  
DEBUG     Oct 21 13:04:27Z  [listener:1305]: ln_recvfrom: fd '115.TCP.INET.auxil
ary': 849 bytes are read by listener                                            
DEBUG     Oct 21 13:04:27Z  [listener:1305]: register_request_inet: request from
 port '0'                                                                       
INFO      Oct 21 13:04:27Z  [listener:1305]: Assigning free worker 17355        
DEBUG     Oct 21 13:04:27Z  [listener:1305]: assign_to_busy_queue: assigning wor
ker 17355                                                                       
DEBUG     Oct 21 13:04:27Z  [listener:1305]: send_data_to_sockpair: listener has
 send 799 bytes to sockpair worker 17355                                        
DEBUG     Oct 21 13:04:27Z  [worker:17355]: read_packet: read() 799 bytes from l
istener                                                                         
DEBUG     Oct 21 13:04:27Z  [worker:17355]: # OPCODE Called: 'generate_certifica
te_authority'                                                                   
MESSAGE   Oct 21 13:04:27Z  [worker:17355]: {"request":{"method":"opcode","name"
:"generate_certificate_authority","version":"1.14","type":"json","length":747,"d
ata":{ "currentlyloggedinuserip": "192.168.1.17", "transactionid": "344", "keyle
ngth": "2048", "___serverip": "192.168.1.1", "objectID": "1", "commonname": "SOP
HOS_CA_qCgZ1h********JMD", "state": "CZ\/IT", "___cmenabled": 0, "digest": "sha256
", "___cmrequest": 0, "countryname": "IT", "___username": "admin", "___serverpor
t": 4444, "___meta": { "sessionType": 1 }, "ouname": "OU", "APIVersion": "1900.1
", "Event": "ADD", "uploadcaname": "Default", "crlid": "1", "mode": 357, "emaila
ddress": "*****@gmail.com", "currentlyloggedinuserid": 3, "oname
": "********** SRL", "cryptotype": "rsa", "___component": "GUI", "___serv
erprotocol": "HTTP", "isprivate": "y", "locality": "LAMEZIA TERME", "Entity": "s
elfsignedcertificateauthority" }}}                                              
DEBUG     Oct 21 13:04:27Z  [worker:17355]: ### insert_uuid: hdr: len=747 conten
t=0 method=0 name=generate_certificate_authority                                
DEBUG     Oct 21 13:04:27Z  [worker:17355]: ### insert_uuid: skipping uuid inser
tion                                                                            
DEBUG     Oct 21 13:04:27Z  [worker:17355]: ### insert_uuid: uuid insert        
 

Hello there,

Thank you for contacting the Sophos Community.

As a workaround, you can create a new certificate and apply it to the desired service.

I talked to GES about this, and they have created NC-108216 to confirm if this is expected or if there might be an issue as we got the same result, I created a case on your behalf and assigned it to me, however, if you can send me a Private Message with your email address to confirm it, I would appreciate it.

Also, confirm the Firmware you’re using.

Regards,

the firmware version used is:
SFOS 19.0.1 MR-1-Build365

Hello Alfonso,

Thank you for the followup and the PM.

Regards,

Hello,

GES/DEV has confirmed that it is not possible to change the email address of the Appliance Certificate. If you require a certificate with a different email, you can create a new local signed certificate and enter any email you would like.

DEV mentioned that changing the Appliance Certificate email Subject would be a Feature Request as of know, if you would like to pursue this, reach out to your Account Manager/Sales representative so they can enter this Feature Request in the internal system.

Regards,

Hello emmosophos,
thanks for the answer, but I do not explain why on other firewalls that I have configured with xg135 and XGS107 the object fields of the ApplianceCertificate correspond to those of the end customer and is not reported for example in the email na@example.com, as is explain this since the devices have been configured and registered following the same steps?

Hello Alfonso,

This was a known bug on v17.5, where you could actually change the email address, so the issue was corrected on v18 and above. 

Regards,