This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEA private key for SSL cert

Easy enough to generate the csr in SEA. But, where does the private key come from, which you will be asked for when you upload cert to SEA?

On the Sophos Firewall, the csr generates the pair, but SEA only generates csr



This thread was automatically locked due to age.
Parents
  • Hi Paul, When you generate the csr from the appliance the private key is generated and stored on the appliance. Once you get you response and upload it via the pending csr link the private key is appended automatically (so you only need to upload the csr response) This is the recommended / supported method to add certs to the appliance. If you really want you can generate your own csr and build a cert from scratch. In this case you will need to provide the private key with the fully completed chain. I did up a walkthrough on completing the certificate however its not recommended and kind if a waste if time. Just do your csr from the appliance and submit it to godaddy or wherever you should not slend more than 5$ and all it needs is the resolvable fqdn of the appliance.
  • So, as I understand it now from your reply (benefit of others as well)

    1) System, Certificates, Add
    2) Enter the details particularly fqdn of SEA (name.domainname)
    3) Next, Finish
    4) There now appears a Pending csr upload certificate
    5) Submit csr to goDaddy
    6) Use openSSL to convert .crt file (ssl cert) to a .pem
    7) Click on upload certificate and select .pem file (that was converted from .crt to .pem)


    One question, the key contains a password? How is that set / retrieved?

  • you should not need any passwords or conversions.  Just request the format as "apache" and you should get the correct bundle.

    Then you will be able to copy/paste the intermediates and root certs .. just make sure there are no extra spaces at the ends or line feeds.   (I usually recommend pasting it into notepad++ first, then into the appliance window) 

    you could use a tool like..

    https://www.sslshopper.com/certificate-decoder.html

    this will decode the cert godaddy gives you... you will see like..

    first line (the name of the cert you pasted in)

    second line is some other info

    usually the 3rd or 4th line contains the name of the certificate that's next in the chain

     

    they will need to be in the proper order.

    and the appliance will not allow you to continue if the order is incorrect or your missing a part.

     

    once your done, select it for tls.. give it a few mins and go to checktls.com and make sure you get the right cert and there are no validation issues. 

     

     

    *** I do NOT recommend web/tools to decode private keys or csr chains.  if you must, use the openssl client directly.

  • I forgot the bit about adding the Trusted Certificate Authority.

    I have a SEA to commission (using a goDaddy cert) and will update here when uploaded successfully.


    Thanks

Reply Children
No Data