This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is my self-signed VPN setup correctly?

Hello all,

I'm looking for a quick review of my SSL VPN setup and something that keeps going over in my head.

My UTM setup is:

I have both a public recognized cert as well as self signed. My public X509 is issued to *.domain.com wildcard and is correct. It is used for my portal and verified correctly with all CA's. I also have the self-signed X509 user certs and VPN certs.

1. Under cert management --> Advanced; I have generated my self-signed X509 vpn signing cert. AKA: My signing CA. This defaults to Local X509 cert.

2. I have my user cert as well (X509 for user1)

3. For my SSL VPN, I have my Local X509 for my server certificate for cryptographic settings.

4. I"ve granted user1 access to the VPN and it will connect.

Questions:
My VPN does work correctly and I can connect in but I don't understand how it isn't subject to a MITM attack if I am self-signing my own cert I'm using to verify that vpn.domain.com is my own actual vpn.domain.com. At some point isn't there a best practice to use a public CA or your private key to sign the cert?

Appreciate any help! 



This thread was automatically locked due to age.
  • Salut Aaron and welcome to the UTM Community!

    I would think that a self-signed CA would be more secure that a publically-signed CA.  Consider that you have to import the HTTPS Signing CA certificate into your browsers to avoid SSL warning messages because the Proxy uses a self-signed cert.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA