Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 5 subscribers
  • Views 21778 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

certificate issues

leo hamel

hi all

i have UTM9, and there is a problem with the host name in the web certificate setting

we changed the host name and didnt re-generate the certificate so we are having error when we try to access the  UTM web interface, saying "your connection is nit secure"

 

this is where we use the cert:

"

Used in these configurations:
Email Protection → SMTP → Advanced
Management → WebAdmin Settings → HTTPS Certificate

"

my question is:

1- if we re-generate by correcting the host name will this effect the production line? i mean is this gonna effect the network or anything live while applying the new setting?

2-is this going to fix the public access? like if i want to login to UTM from home will i still have the error message "This server could not prove that it is XXXX; its security certificate is from YYYY This may be caused by a misconfiguration or an attacker intercepting your connection."

3- will this fix the SMTP error too? 

 

FYI the cert said its valid till 2037

 

 

best



This thread was automatically locked due to age.
  • +1

    I will try to summarize Public Key Infrastructure technology.

    The first step in encryption is to verify that you are talking to the right server.    You use a DNS name in your browser.   The browser uses DNS to convert it to a number and connect to the server.  The server responds with a certificate that says, "This is my name (or my list of names)"    The browser checks that the DNS name you used matches a name in the returned certificate.

    But anybody can lie, so you need both a certificate with the right name and a certificate issued by someone you trust.   Technically, this means that the certificate needs to have a signature chain back to a certificate that you have installed as a trusted root.   Normally, this means that you need a certificate issued by a commercial certificate authority, for which you pay a fee.

    UTM creates its own root certificates, which it uses for HTTPS Inspection, SSL VPN, and other purposes.   These root certificates are then used to sign other certificates.  For client devices to trust these certificates, you must load the root certificate onto each client device.

    Because user portal may be accessed from many devices, it is generally not feasible to preload a root certificate on each one, so a commercial CA certificate is preferred.

    LetsEncrypt.org provides a way to get a certificate for free, using a fully automated process, but the certificate must be updated frequently..   I think others in this forum are using it successfully. 

    So in summary, you can always expect to get the certificate error until you buy and install a commercial certificate, or until you install the UTM root certificate on your home devices.

    The hostname and the certificate name do not have to match, as long as you have configured the override hostname in the places where it is used.  (user portal, web admin, smtp)

  • +1

    Thanks, Doug, that will be helpful to many people.

    Leo, to change the hostname, use the trick listed in The Zeroeth Rule in Rulz.

    Yes, this will change the underlying CA for all certificates.  If you're doing 'Decrypt and scan' in Web Filtering you will need to redistribute the new HTTPS CA to all users.

    Yes, this will cause you to have to distribute new SSL VPN Remote Access configurations because the UTM and the users will all have new certificates.  If you do the rename as suggested, first change the SSL VPN Protocol to UDP.

    Of course, you also can change the hostname separately for the VPN and for SMTP, but that's not a nice thing to do to the person that follows you.

    Cheers - BOb

  • 0 in reply to DouglasFoster

    this is awesome, i like the way you explained it and now i have many things cleared for me  

    but i still have few question if you can answer me please

     

    if i have in my network (exchange, domain, web server) and they are all protected with the UTM is this certificate issue will effect using these servers? like one of the users is using email from home she said she have a certificate error on her mobile email app!

    about the CA, you mean i can have a certificate from my domain provider and use it in the UTM ?

    thanks

  • 0 in reply to BAlfson

    is it better to do it at off work time? and make people logout and login again to their email app?

  • 0 in reply to leo hamel

    It only takes a few minutes to use that trick, so it depends on your situation and whether or not you have to worry about the following.

    If their email client is not web-based using HTTPS or you're not using 'Decrypt and Scan' in Web Filtering, then there should be no effect on that part.  Changing the Hostname only affects the banner that the SMTP Proxy sends when it relays your emails to external domains.

    It only affects VPNs and Remote Access if you're using certificate-based like Cisco, IPsec, SSL VPN and L2TP/IPsec with certificates.

    Cheers - Bob

  • 0 in reply to DouglasFoster

    When I bought my commercial certificate, I used a different name than the hostname.  Never bothered to change the hostname.  Certificate name is used for user portal, webadmin, and von SSL.

  • 0 in reply to DouglasFoster

    thanks for the info, but why its used in the SMTP ?

     

    Used in these configurations: 
    Email Protection → SMTP → Advanced
    Management → WebAdmin Settings → HTTPS Certificate

    "

  • 0 in reply to BAlfson

    Bob...let me know if i am wrong 

     

    now i can generate a certificate request and send it to CA to get it signed then i can use it for my web interface, VPN, Remote access, SMTP and TLS....right ?

     

    FYI  we are hosting a web server locally and its serving our web site, also i found a godaddy certificate in the exchange server i think i can import it to the UTM and use it for the TLS?

  • 0 in reply to leo hamel

    Yes, and it appears that you've understood that the cert is used to negotiate TLS in the SMTP Proxy.

    Cheers - Bob

  • 0 in reply to BAlfson

    Bob one last question...do i have to have a "signed" certificate from CA for the VPN? if its self-signed will the browser show that error again? if i want to connect to a branch and brows the intranet for example