Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 3439 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEA private key for SSL cert

Paul Digby

Easy enough to generate the csr in SEA. But, where does the private key come from, which you will be asked for when you upload cert to SEA?

On the Sophos Firewall, the csr generates the pair, but SEA only generates csr



This thread was automatically locked due to age.
Parents
  • 0
    Hi Paul, When you generate the csr from the appliance the private key is generated and stored on the appliance. Once you get you response and upload it via the pending csr link the private key is appended automatically (so you only need to upload the csr response) This is the recommended / supported method to add certs to the appliance. If you really want you can generate your own csr and build a cert from scratch. In this case you will need to provide the private key with the fully completed chain. I did up a walkthrough on completing the certificate however its not recommended and kind if a waste if time. Just do your csr from the appliance and submit it to godaddy or wherever you should not slend more than 5$ and all it needs is the resolvable fqdn of the appliance.
  • 0 in reply to Red_Warrior

    So, as I understand it now from your reply (benefit of others as well)

    1) System, Certificates, Add
    2) Enter the details particularly fqdn of SEA (name.domainname)
    3) Next, Finish
    4) There now appears a Pending csr upload certificate
    5) Submit csr to goDaddy
    6) Use openSSL to convert .crt file (ssl cert) to a .pem
    7) Click on upload certificate and select .pem file (that was converted from .crt to .pem)


    One question, the key contains a password? How is that set / retrieved?

  • 0 in reply to Paul Digby

    you should not need any passwords or conversions.  Just request the format as "apache" and you should get the correct bundle.

    Then you will be able to copy/paste the intermediates and root certs .. just make sure there are no extra spaces at the ends or line feeds.   (I usually recommend pasting it into notepad++ first, then into the appliance window) 

    you could use a tool like..

    https://www.sslshopper.com/certificate-decoder.html

    this will decode the cert godaddy gives you... you will see like..

    first line (the name of the cert you pasted in)

    second line is some other info

    usually the 3rd or 4th line contains the name of the certificate that's next in the chain

     

    they will need to be in the proper order.

    and the appliance will not allow you to continue if the order is incorrect or your missing a part.

     

    once your done, select it for tls.. give it a few mins and go to checktls.com and make sure you get the right cert and there are no validation issues. 

     

     

    *** I do NOT recommend web/tools to decode private keys or csr chains.  if you must, use the openssl client directly.

Reply
  • 0 in reply to Paul Digby

    you should not need any passwords or conversions.  Just request the format as "apache" and you should get the correct bundle.

    Then you will be able to copy/paste the intermediates and root certs .. just make sure there are no extra spaces at the ends or line feeds.   (I usually recommend pasting it into notepad++ first, then into the appliance window) 

    you could use a tool like..

    https://www.sslshopper.com/certificate-decoder.html

    this will decode the cert godaddy gives you... you will see like..

    first line (the name of the cert you pasted in)

    second line is some other info

    usually the 3rd or 4th line contains the name of the certificate that's next in the chain

     

    they will need to be in the proper order.

    and the appliance will not allow you to continue if the order is incorrect or your missing a part.

     

    once your done, select it for tls.. give it a few mins and go to checktls.com and make sure you get the right cert and there are no validation issues. 

     

     

    *** I do NOT recommend web/tools to decode private keys or csr chains.  if you must, use the openssl client directly.

Children
Unfiltered HTML