signature of the certificate cannot be verified

still no solution , very slow service

Hi TarekHalloun  Thank you for reaching out to the Sophos community team. One of the possible reasons for such an error could be due to the signature algorithm having been updated of that CA and the system may have a different CA with a different thumbprint (due to signature Algo updated) which is not getting matched with the added CA on XG. 

Please confirm and validate on same. Below reference steps may help to validate the same on the system side:

http://terenceluk.blogspot.com/2018/07/unable-to-assign-newly-requested.html

From XG you may validate via the below:

#openssl x509 -in /conf/certificate/cacerts/CANAME -text -noout  | grep -i signature

A similar way confirms for the Cert file as well if the cert does not have an updated signature which is not getting matched with added one on XG.

#openssl x509 -in /conf/certificate/CERTNAME -text -noout | grep -i signature

If the above is the reason based on your validation then you may re-import the CA on XG with the latest signature algorithm and then you may confirm the status.

Hi TarekHalloun  Thank you for reaching out to the Sophos community team. One of the possible reasons for such an error could be due to the signature algorithm having been updated of that CA and the system may have a different CA with a different thumbprint (due to signature Algo updated) which is not getting matched with the added CA on XG. 

Please confirm and validate on same. Below reference steps may help to validate the same on the system side:

http://terenceluk.blogspot.com/2018/07/unable-to-assign-newly-requested.html

From XG you may validate via the below:

#openssl x509 -in /conf/certificate/cacerts/CANAME -text -noout  | grep -i signature

A similar way confirms for the Cert file as well if the cert does not have an updated signature which is not getting matched with added one on XG.

#openssl x509 -in /conf/certificate/CERTNAME -text -noout | grep -i signature

If the above is the reason based on your validation then you may re-import the CA on XG with the latest signature algorithm and then you may confirm the status.

if i dont use sophos , i dont have this problem ... i cannot do this solution to 1000 users !

please guide me through this command .. how to run it

Hi TarekHalloun  Yes command has been shared in my previous comment which you may run from the XG shell. On the system side, you may compare it with any 1 or 2 machines to see if there are any differences in the signature algorithm on available cert/CA in the system and added on XG.

Vishal_R said:

you may compare it with any 1 or 2 machines to see if there are any differences in the signature algorithm on available cert/CA in the system and added on XG.

what do you mean?

command  didnt work

Hi,

you are in the wrong screen, you should have used 5 - 3.

ian

ok , both command typed but received nothing after enter ( i replaced the CANAME and CERTNAME with the actual names)

if i import the certificate to my local pc certificate , i see that the certification is ok .. but the one coming from Sophos is always damaged .. 

sophos is changing or corrupting the certificate somehow

i changed the ca bundle , reissued the certificate.. talked to Sectigo , everything .. sophos is ruining the certificate

Hi,

please post an expanded copy of your firewall that is breaking your certificate download.

ian