Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 4890 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Own CA SecurityAppliance_SSL_CA

Harald J

 Hello,

 

is there a way to import my own self signed CA into the XG Firewall to use it as the default CA and delete de standard Sophos CA?

 

Thank you

Harald



This thread was automatically locked due to age.
  • 0

    Harald,

    You cannot change the default CA. The appliance ssl certificate is a "special" certificate that decrypt and encrypt the https traffic on the fly in order to keep the https connection with the original https site unbroken.

    So in order to avoid the certificate error page, import the CA inside your browser.

    Regards

  • 0 in reply to lferrara

    Hello lferrara.

     

    I'm not using the https decrypt feature.

    I' just want to import my own CA and my own VPN Server Certificate because I have multiple users out there and I don't want to change all the existing configurations.

     

    I'm using a self signed Root CA with a self generated VPN Certificate with multiple Intermediate certificates in between.

     

    So I'm guessing, I' staying with my running configuration and do not switch to Sophos when that's not possible.

    Thank you anyway for your answer.

     

    Kind Regards

    Harald

  • 0 in reply to Harald J

    Harald,

    For other services that use https, you can upload your own ca and use the certificates issued by then.

    No limitation on that!

    Regards

  • 0 in reply to lferrara

    lferrara,

     

    but how do I issue a new certificate with my CA and not the sophos CA?

    I can not select my CA to sign the new one when I generate a new one, the new one is signed with the Sophos CA.

     

    Thank you

    Harald

  • 0 in reply to Harald J
    Harald, In order to generate the certificate signed by your CA I advice you to generate them from your Ca and then upload them on XG. The other option is to generate csr on XG and upload it on your ca, signs it and then upload the certificate in your XG. Thanks
  • 0 in reply to lferrara

    lferrara,

    ok thank you.

    I will try that.

    Are Intermediate certifactes supported as well?

    I mean, is the complete chain served to the openvpn server?

    Because on UTM there was only the server certifiacte used and the log was full with broken chain messages, because the root CA was not known by the server, although I imported the Root CA as verifiy CA.

    Thank you

    Harald

  • 0 in reply to Harald J

    Intermediate signed certificates are NOT supported in the SSL VPN, be carefull, I spent 1 day trying and the the support dropped the usual line "it's like that by design"