Sophos XG - SSL certificate warning when accessing login for web interface

Question

Hi there, 
 
 right now I am really happy with my Sophos XG firewall - although I am still trying to work out a problem with my AP15 (thanks for your support sachin :-) 
 There is only one other matter I would like to know how to solve: 
 I am using Chrome on Windows and whenever I want to access the web interface / login following message appears:

Now I am going for ADVANCED and choose Proceed to XXX.XXX.XXX.XXX (IP-address-of-my-firewall) . 
 Problem is that whenever I clear my Chrome history and cache I will have to do this all over again and the red line over https in the address bar is also not my favorite :-p 
 I also already tried to install the Sophos SSL certificate. 
 
 Anyone an idea how to solve this permanently without using HTTP instead of HTTPS? 
 Maybe someone knows how to install the certificate so that this message will disappear (working for Chrome - might I remind you) :-)

jack admin · Accepted Answer

Markus, 
 
 I am new to sophos firewall , I solved this issue for myself by using self sign certificate. I simply generated self signed certificate created A group policy in my domain controller to install that certificate to all my clients and it worked for me. 
 
 You should change you certificate to self signed certificate in admin portal. 
 Hope this should be helpful for you. 
 
 :)

varunparikh · Answer

Hi Markus, 
 That is correct, because it is a self signed certificate from an untrusted CA (your firewall). 
 If you have a trusted certificate already, you can import the CA in XG and generate CSR, sign it with your CA server and upload it on the firewall, from there onwards, the cert will be trusted. 
 Regards,

SamilV · Answer

Hi Dean, We now have an official kb for this : https://community.sophos.com/kb/en-us/127287 -> A self - signed certificate is required which issues certificate to IP address of XG . We need this self - signed certificate because the default appliance Certificate is issued to SophosApplianceCertificate_Appliance Key. If we will use the appliance certificate instead of creating the self signed certificate , browser will throw certificate error as the URL requested (IP address in our case ) and certificate issued to SophosApplianceCertificate_Appliance Key ) are different. -> Download and extract the created self signed certificate and import the Root CA from the bundle in the Trusted root authority of the system's mmc using kb link https://community.sophos.com/kb/en-us/123048 . The reason for downloading Root CA in the trusted root authority is because when we generate self-signed certificate the issuer of the certificate i.e. CA is the Default CA of Sophos and not SecurityAppliance_SSL_CA . Usually we have confusion that we have already imported Sophos SSL_CA in the trusted root authority then why are we getting certificate error. The reason being we have imported the Sophos SSL_CA in the trusted root authority and not Default CA . Sophos SSL_CA issues certificate for all web traffic of HTTPS for deep packet inspection . However , for the self signed certificate the issuer CA is Default CA and not Sophos SSL_CA. -> Also, in Administration > Admin Settings > Port Settings for Admin Console > Certificate > Self Signed Certificate . The reason behind this is that when request for https://<ip address :4444> i.e web admin console hits XG , the device presents self signed certificate and not Appliance Certificate to avoid Certificate error.

Michael Dunn · Answer

This thread is confusing the Certificate Authority - which is typically used for HTTPS man-in-the-middle decryption of proxied, with the appliance's own Certificate.

From what I understand, the poster is asking about the certificate that is used when you access WebAdmin at :4444.

First, go to Web \ Protection and make sure the HTTPS Scanning Certificate Authority is SecurityAppliance_SSL_CA. This is the out-of-the-box value and if you changed it, put it back.

Now go to Certificate, Certificate Authorities.

The "SecurityApplicance_SSL_CA" is the Certificate Authority which will sign all the HTTPS traffic that the Web Proxy does. Download and Install it all all end user clients that will proxying through the SFOS to far websites.

The "Default" is the Certificate Authority that will sign the HTTPS port :4444 on the appliance itself. Download and Install it on any client that will access WebAdmin.

Note: If you uploaded or regenerated any CA, please do this extra step. Under Certificates \ Certificates, there should be ApplicanceCertificate. If you click the gear you can regenerate the certificate using the current default CA.

Now when you access WebAdmin, it will be using a certificate generated from the CA that you have installed.

However - and this is a known issue, the certificate will still not be valid. This is not because of Certificate Authority, but because certificate that the SFOS generates will not have CN (common name) that matches the hostname. This is in part because hostname is something that was added as recently a v16 (strange, I don't understand how Cyberroam UTM and the early SFOS could not have a hostname).

For FF, when they warn you about the invalid certificate, in the pop-up you are given the option to permanantly store this exception.
For IE, go into Options, Security tab and add the site to Trusted sites.
For Chrome, it uses the IE setting. The navigation though settings is more complicated, just do it in IE.

That all being said -- you can just skip the CA stuff and add the exception/trust and I think that will work.

sachingurung · Answer

I have heard of a relevant issue which is caused due to the Default CA not having the common name field populated. I think this might be associated. If that doesn't help, creating a self signed certificate could, I haven't tried generating one yet, if you do please update us if it works.