Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 3 subscribers
  • Views 6308 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Access SSL VPN CA problems with OpenVPN

Brent Goben

Prior to an OpenVPN for Android update, all of our mobile devices could connect to our Sophos UTM 9 SSL VPN without error. Now there seems to be a problem because the new version of OpenVPN does not support the md5 authentication algorithm, which I believe our CA is using.

What we did up to this point was go into Remote Access SSL -> Advanced and changed our authentication algorithm from md5 to SHA2 256 and applied the change. Then went to the user portal and downloaded the config. Then imported the config into OpenVPN on the android devices.

We are now receiving the error "CA signature digest algorithm too weak". I believe that is because our VPN Signing CA is still using md5. At least that is what I see in the PEM file.

My question is if I choose to Regenerate Signing CA will our Signing CA then use the SHA2 256 algorithm? Would I be better off creating a new CA instead?

I gather that regenerating our signing CA will require everyone to download an updated config file, but will it cause any problems with any existing site-to-site VPN entries we have?



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    I'd suggest creating a new CA and use that if that's a feasible option.

    However, Regenerating the Signing CA will impact your Certificate-based Site-to-Site VPNs only. The warning next to the apply button states it clearly:

    Caution! The device and all user certificates will be regenerated using the new signing CA. This will break certificate based site-to-site and remote access VPN connections.

    And yes, all users will require to download the new config file.

    Regards

    Jaydeep

Reply
  • 0

    Hi  

    I'd suggest creating a new CA and use that if that's a feasible option.

    However, Regenerating the Signing CA will impact your Certificate-based Site-to-Site VPNs only. The warning next to the apply button states it clearly:

    Caution! The device and all user certificates will be regenerated using the new signing CA. This will break certificate based site-to-site and remote access VPN connections.

    And yes, all users will require to download the new config file.

    Regards

    Jaydeep

Children
Unfiltered HTML