Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Startcom

Hi,

I created a free StartSSL certificate and I succesfully uploaded it in the Sophos XG. I did the same for the CA, but still my certificate is untrusted by my XG. I think I got the wrong CA but im not sure.

Greets,

Jeffrey



This thread was automatically locked due to age.
  • Jeffrey,

    can you share the error you have? Can you share the screenshot of CA and Certificated uploaded inside XG?

    Thanks

  • So I don't see why the authority still has a red cross

  • Hi Jeffrey,

     

    The X means that you've installed an intermediate cert, but something is missing in it's cert chain. You can get all their root certs here:

    https://www.startcomca.com/root

    I don't know which one(s) you might be missing, but hopefully the cert you have, plus the charts on the link above help identify what you're missing. I have used StartCom before, and had to install two or three different root and intermediate certs to make everything happy. 

  • Just an FYI about Startcom certificates:

    Google last week warned website owners that digital certificates from Chinese certificate authority WoSign and its subsidiary StartCom will no longer be trusted starting with Chrome 61.

    MozillaApple and Google last year decided to revoke trust in certificates from WoSign and StartCom as a result of more than a dozen incidents and issues brought to the attention of the web browser community since January 2015.

    Problems include backdating certificates to bypass restrictions, issuing certificates without authorization, and misleading browser vendors about WoSign's acquisition of StartCom and their relationship.

    Google started taking action against the firms in late January 2017, with the release of Chrome 56, which no longer accepted certificates issued by WoSign or StartCom after October 21, 2016.

    In order to minimize impact on website owners, Google has been restricting trust to popular hostnames based on the Alexa Top 1 Million list. This whitelist has been gradually reduced and starting with Chrome 61 it will be removed completely. Chrome 61 will reach the Developer channel in the coming weeks, the Beta channel in late July 20, and the Stable channel in mid-September.

    “Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users,” warned Devon O’Brien of the Chrome Security Team.

    Apple and Mozilla have decided to ban WoSign and StartCom for at least one year, but Google has not specified for how long it plans on distrusting certificates from these companies.

    The certificate authorities had several meetings with browser vendors, changed leadership and promised to completely separate WoSign from StartCom, but they did not convince Apple, Google and Mozilla. Apple was the first to announce plans to revoke trust in their certificates, followed by Mozilla, which justified its decision by arguing that the firms were deceptive.
    Source: Google to Completely Ban WoSign, StartCom Certificates in Chrome 61 | SecurityWeek.Com

  • Hi AlanT,

    Just like I thought, but I could not find the right root certificate. Thank you for the link. The first root certificate provided the answer, all works now.

    Greets,

    Jeffrey

  • Hi Jason,

    Thank you for this information, its a good thing to keep in mind.

    Greets,

    Jeffrey