Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 10022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 16.05 GA How to extract Appliance certificate please ?

KoenT

Hello,

1. I would like to export the SSL certificate to publish at our own website. Could you please help because I cannot find it.

2. Please add the certificate to the user portal in XG, like it is in UTM.  Would make my life a lot easier with mobile users.

Thanks !

Koen



This thread was automatically locked due to age.
  • 0

    On the main menu bar on the left, click "Certificates".  The certificate for the WebAdmin and Portal is there.  You could also change it to your own self signed or valid purchased certificate.

    The Certificate Authority used for HTTPS scanning is on the Certificate Authority tab.  By default, it is the one called SecurityAppliance _SSL_CA, however you can upload your own.  Within the Web configuration you can select it to be used.

     

    I don't know too much about the user portal, but there are various things where you can put in your own HTML or custom messages.  Maybe you can override it to include a link to the certificate?

  • 0 in reply to Michael Dunn

    Can you tell us how to download it? There is no download option. I can only generate a new one by clicking on the gear.

  • 0 in reply to Kubiac6666

    If you look at the righthand side there is a button/icon for download of the default and the CA certificates.

    When installing the certificate you might need the password to prove certificate ownership.

  • 0

    On point 2 Koen is right.

    I had the same problem for companies that uses XG https scan even for mobile.

    At the moment they send via mail the CA to users who miss the CA on their mobile but having it available on user portal is much easier for everyone.

    I mentioned this limitation several months ago on another thread but I cannot find it at the moment.

  • 0

    The certificates are listed first.  On my machine they are "Default" and "SecurityAppliance_SSL_CA".   I was looking for a list entry which matched the certificate identity, which starts with "Sophos" for both certificates, and searching for certificates with name "Sophos" returned an empty result set.

    Once you know the right certificate, you can download it, but it comes down in compressed tar format (tar.gz).  Windows does not know how to open this format, but I think if you download 7-zip, it will support the tar.gz format.   I 

    Under Authentication... Client downloads, there is an option to download "Download CA for MSI", but this downloads the CA for Client Authentication, not the one that you need for HTTPS inspection.

    Above comments based on version 16.5

    Yes, it could definitely be easier.

  • +1 in reply to DouglasFoster

    I have been digging further.  These are my results.

    1) The appliance certificate has a root that is different from either the DEFAULT or SOPHOS_SSL roots.   It is not visible in the Admin console CA list.  It is included in the download chain, which is good and bad.   This allows it to be extracted (On Windows:  Connect with a browser that allows you to ignore errors, then view the certificate, then navigating up the certification chain, then use the Details tab and save to a file.)  Once downloaded, it can be loaded as a trusted third-party root certificate.

    2) However, the root certificate is not supposed to be included in a server's certificate chain, it is supposed to be pre-installed on the client for use to validate the certificate chain.  Most browsers ignore this error, but Microsoft Edge will not connect to the appliance as a result.