certificate error

Tiago,

here you have 2 issues:

1. the Certificate is issued to a different IP/FQDN
2. you did not import the CA inside your Computer Certificates

For the first issue, you can generate a different Certificate and making sure that the Common Name reflects your IP address.

For the second, make sure to use the Certificates Snap-in.

For the Captive portal, at the moment there is no way to use the FQDN  but only the IP.

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11580213-captive-portal-fqdn-support

Regards

Sorry for my ignorance on this subject.
On this first solution: the Certificate is issued to a different IP / FQDN
Would you have some step by step how to do this procedure?

About this question: You did not import the CA inside your Computer Certificates
Access Certificate> Certificate authorizations> SecurityAppliance_SSL_CA clicked on download and installed on the desktop, but did not work. Was there any procedure for me to check what I did wrong?

Tiago,

in order to import the CA into your windows Computer, use this old guide:

http://www.dartmouth.edu/~deploypki/materials/web_authn/pages/IISonXP_AddingTrustedCACertToComputer.htm

For the first issue, the Common name must reflect the IP or FQDN used. So you need to create on XG a self-signed certificate under Certificate where the CN is the internal IP and change it under Administration > Admin settings.

Regards

Hi  

Thanks for answering. This first procedure I did inclusive, I installed the certificate in my windows 10, but the certificate error continues to appear.

About generating the certificate itself, I was able to generate the certificate, but soon after generating this certificate, what next? Do I need to have an internal CA?

Thanks in advance for your help!

Tiago,

if the error still appear something is wrong. You have to read carefully what the Browser is telling you about the error. Take note that you need to import the CA:

https://community.sophos.com/kb/en-us/123048

Because the Default CA is not trusted by your browser. It is not in the list of the approved CA. Every browser comes with a list of "good" CA, which are the popular CA around the world.

Because CA uses hierarchies, if you trust the CA all the Certificates generated by the trusted CA will be also trusted.

https://technet.microsoft.com/en-us/library/cc962065.aspx

Once the CA has been trusted, make sure that the certificate you generated, the Common Name reflects the name/ip you are generating for.

For example, if you need to generate a certificate for webmail.test.com, you will need to generate a certificate where the CN is webmail.test.com

If the webmail service also is reached using IP, you need to generate another certificate, because the CN is webmail.test.com but you are trying to access the service by IP, so the CN does not match.

Tks for the help

Tks for the help