Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN on Sophos Firewall with Root CA + Intermediate CA

Thomas Ward

So, I have an internal CA that I use for everything on my network.  This CA also handles the VPN components that I use.

Namely, I have a root CA and multiple intermediate CAs underneath for different use cases - one is for SSL Client Auth (so SSL cert over HTTPS, etc.), one is for internal server certificates, and one is for VPN CA.

So, the root chain looks like this:

Internal CA
|-- VPN CA
     |-- Server Certificate
     |-- [Client certs since the CA can issue them]

Unfortunately, when trying to use this CA chain and such, it all hard-fails and I can't authenticate the clients.

Is there any way to make this type of chain work in the XG Firewall?  I have tried several ways unsuccessfully.



This thread was automatically locked due to age.
Parents
  • 0

    What happens, if you import the root CA and then the intermediate CA. Cert?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0

    What happens, if you import the root CA and then the intermediate CA. Cert?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • 0 in reply to jprusch

    Yes, the CA and then Intermediate have both been uploaded.  It seems to barf on the handshake when it does the initial TLS communication.  Which is odd, because it shouldn't be doing that.

    I'm not entirely sure where to look next, since the certificate is issued on the XG by the intermediate CA for the server certificate.  Unless the client certificates are being issued incorrectly with the default CA and not hte intermediate CA I've deployed, but I've got no idea how to set that properly.

  • 0 in reply to Thomas Ward

    Maybe you use an unsupported crypto algo? Can you post your definition for these two CAs?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to jprusch

    I basically took the default generated CA cert that the XG created and used that as a base, and configured a few extra SANs and entries to match the IPs as well as hostnames.  Other than that, the signature was identical.

    ODDLY ENOUGH, it seems like it just started randomly working, and all I did was switch the server cert to the default appliance cert and then back to the intermediate-CA-issued cert and it just started to freaking work.  WHooo!  Don't think I can alter the CA used for client cert issuance, but I'm less concerned about that.  At least it works heh!

Unfiltered HTML