This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Importing cert into HTTPS proxy from local CA

The current HTTPS proxy certificate generated by Sophos uses sha1 which makes Chrome complain (Google Online Security Blog: Gradually sunsetting SHA-1)

I would like to import my own certificate from my Windows CA which generates certificates with SHA254. This would also remove the requirement to import the Sophos Certificate as a trusted root certificate authority since my domain already trusts my Windows CA certificate.

The part that I am not sure of is do I need to get a certificate generated by my CA for Sophos and import that or do I import my CA certificate?

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 10 years ago

Try this and see if it helps: How to use your own HTTPS Proxy CA certificate on the Astaro Security Gateway
Cancel
Vote Up 0 Vote Down

Cancel
0 ChristopherCourtney over 10 years ago in reply to Scott_Klassen

Try this and see if it helps: How to use your own HTTPS Proxy CA certificate on the Astaro Security Gateway

I can't speak for him,. but that's exactly what I did with a CA Cert from my Windows Active Directory Domain controller.
The cert originally is a SHA-256 encrypted cert. But importing it into Sophos/Astaro ... well everything is signed as SHA-1, and Chrome flags EVERY HTTPS site as unsecure, unless it's been bypassed.

This is clearly an issue with Sophos/Astaro UTM and not the certificate. Though, arguable an issue with Chrome/Google, but better security is always good.

Please update the Squid proxy configuration to use a BETTER encryption scheme.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ChristopherCourtney over 10 years ago in reply to Scott_Klassen

Try this and see if it helps: How to use your own HTTPS Proxy CA certificate on the Astaro Security Gateway

I can't speak for him,. but that's exactly what I did with a CA Cert from my Windows Active Directory Domain controller.
The cert originally is a SHA-256 encrypted cert. But importing it into Sophos/Astaro ... well everything is signed as SHA-1, and Chrome flags EVERY HTTPS site as unsecure, unless it's been bypassed.

This is clearly an issue with Sophos/Astaro UTM and not the certificate. Though, arguable an issue with Chrome/Google, but better security is always good.

Please update the Squid proxy configuration to use a BETTER encryption scheme.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 eporro over 10 years ago in reply to ChristopherCourtney

I can't speak for him,. but that's exactly what I did with a CA Cert from my Windows Active Directory Domain controller.
The cert originally is a SHA-256 encrypted cert. But importing it into Sophos/Astaro ... well everything is signed as SHA-1, and Chrome flags EVERY HTTPS site as unsecure, unless it's been bypassed.

This is clearly an issue with Sophos/Astaro UTM and not the certificate. Though, arguable an issue with Chrome/Google, but better security is always good.

Please update the Squid proxy configuration to use a BETTER encryption scheme.

That sucks. I was hoping that it would leave the certificate alone and use SHA256
Cancel
Vote Up 0 Vote Down

Cancel