Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 27 subscribers
  • Views 13551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Replace the device SSL with a trusted SSL

PaulSimcox

Hi all,

I want to replace the current Self Signed SSL the device came with and replace with a trusted SSL so that I dont receive certificate errors or warnings. Can someone explain the steps involved to replace and also, can we use a wildcard SSL?

thanks



This thread was automatically locked due to age.
Parents
  • 0

    I'd like to add this too:

    When generating the CSR, I cant find any info regarding the following

    Valid Until   (is this the expiry for the csr or the expiry for the certificate)

    Certificate ID (I'm unable to find any info as to what this is referring to. If I select IP, is this the internal IP or External IP. Also available DNS and Email address). what is this used for since its not a requirement when creating csr's with IIS.

    Thanks

  • 0 in reply to PaulSimcox

    Paul,

    on XG v15 there is no way to change the hostname. By default the name is "Sophos". I advise you to upgrade to v16 (beta now) where you can configure the name (for example dns name) and create your CSR and upload to any Public CA and generate the certificate.

    Otherwise you will always have problem if the XG is not called "Sophos" inside your network. See the limitation illustrated in this thread:

    https://community.sophos.com/products/xg-firewall/f/46/t/11200

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

    I read the thread you sent.

    Am I reading it correctly.  You cant access the xg using a fqdn, only by ip?

    Therefore replacing the self signed verification with a trusted ssl won't work and I will continue to get certificate errors when I try to access the user portal?

  • 0 in reply to PaulSimcox

    Paul,

    you can access the XG using the FQDN, but CN inside the Certificate contains always the IP address so will always have certificate error, like "Certificate common name does not reflect the CSR common name".

    This happens on v15.

  • 0 in reply to lferrara

    Thanks Luk.

    Can you tell me what the settings are in the original question.

    Primarily when generating the csr on the xg, what does it mean by certificate Id ? I've only ever generated csr's from IIS and never get asked for this. I can't find any documentation as to what this field  is referring to.

  • 0 in reply to PaulSimcox

    Luk,

    Just to add.

    What I'm trying to achieve is securing the User Portal with a trusted SSL from outside the organisation.

    So. If a user from home hits

    "" to access the user portal, I want them to receive zero warnings about the certificate. Are you saying that this isn't possible with version 15?

  • 0 in reply to PaulSimcox

    Paul,

    as you see from the thread, XG will always return the ip address so a certificate warning will appear.

Reply Children
No Data