Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 10847 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom Certificate with Web Content Filter

GaryHale

I purchased a new SSL Cert from Comodo (which is in the list of valid CAs) and successfully installed this into my list of certs on the XG.  However, when I go into the Web Content Filter settings, I still only have "Default" and "SecurityAppliance_SSL_CA" listed as options. 


How do I set the system to use my Comodo certificate as the scanning certificate?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Gary,

    What you have purchased is a server certificate, you will find for example that it can be selected to represent the appliance it's self for web admin portal access or the SSL VPN. (for example under "System >Administration >Settings" or "System >VPN >SSL VPN Settings")

    In order to be available to select for the Web Filter it would need to be a Root Authority Certificate, you could for example generate a sub authority certificate to your enterprise certificate authority and load that on the appliance and it would be available to select under "Protection >Web Protection >Web Content Filter"

    It needs to be a root authority certificate so the appliance can generate a certificate that reflects the certificate of the original site the user is trying to access, server certificates cannot be used in this way.

    Leon

  • 0 in reply to Leon.Friend

    Hello Leon ,

    I've the same issue but I didn't understand your solution .

    How can we generate a ROOT certificate from a Server certificate generated by Public CA Authority ?

     

    It looks to me an issue with XG firewall , I don't understand why we should be using a root CA for a "server" service as the proxy actually is

    thanks

    Stefano

  • 0 in reply to StefanoColombo

    Hi Stefano,

    You can't we are talking about two different things here and you cannot use a Server Certificate issued by a public root authority to create a self signed root authority.

    The Server Certificate can be used for the appliance to represent it's self as a Server, i.e. for the Web Admin Portal or User Portal.

    If using HTTPS Decryption/Inspection for web/application traffic, the Appliance Root Authority is used to create a reflected certificate for the original website as such the client device needs to trust the appliance to issue certificates for website. (please be aware this is due to the way Certificate Trust work and applies to any product performing this level of inspection)

    As far as Root Authorities on the Appliance goes you can use the Self Signed Root Authority on the Appliance or set the Appliance up as a Sub-Ordinate Authority to your Enterprise Authority.

    If setup as a Sub-Ordinate Authority your Client Devices should automatically trust the Appliance to Issue Certificates (assuming they trust your Enterprise Authority) or if using the Self Signed Authority you can distribute the Certificate to the Windows Computer Store manually or via something like Group Policy.

    More information on deploying the SSL CA Certificate can be found in the KB Article @ https://community.sophos.com/kb/en-us/123048

  • 0 in reply to Leon.Friend

    Hello Leon

    Thanks for your explanation , my doubt came because I'm pretty sure that I didn't have such issue with other vendors product ( but I need to check for it )

    Best Regards

Reply Children
  • 0 in reply to StefanoColombo

    Hi Stefano,

    One comment would be that if you do not enable HTTPS Decryption there appliance will make decisions via Certificate Scanning based on the Common Name field in the HTTPS Certificate, so some simple HTTPS web filtering will occur.

    This however can be challenging as some sites with multiple domains actually use the same common name i.e. youtube.com and google.com have the same common name of *.google.com..