How to create CSR and install a Digicert SSL certificate for Webadmin portal?

Hi, and welcome to the UTM Community!

You can generate a CSR at the UTM command line using the prescription in this KnowledgeBase article: community.sophos.com/.../115976.

If you prefer to do this from the Windows command line with the free openssl tool:

openssl genrsa -aes128 -out <private key file name>.key 2048
openssl req -new -key <private key file name>.key -out <csr file name>.csr

If I recall correctly, you can get a PKCS#12 format file from Digicert that you can upload without further hassle. If not, come back and tell us what they sent you.

Cheers - Bob

Thanks for you reply! I tried to open the KnowledgeBase article that you linked but I get an error. I don't think the article exists anymore. Can you please link it again?

The blasted basic editor included the period in the link. I took it out and the link works now.

Cheers - Bob

I created the CSR using OpenSSl on my Windows computer. I submitted it to Digicert and it's ready to download, thing is Digicert doesn't have PKCS#12 as an option to download the cert. The only options available are .p7b, .cer, .crt and .pem. How are any of these extensions compatible with UTM 9?

I think with a p7b, you should be able to do:

openssl pkcs12 -export -in yourcert.p7b -inkey <private key file name>.key -out yourcert.p12

And then upload that directly into Certificate Management. I haven't done that with a p7b, but it should have the Digicert CA as well as any intermediate CA already there. If that doesn't work, start with the pem and do

cat yourdomain.crt <private key file name>.key digicertCA1 digicertCA2 > yourcert.p7b

and then try the first command again. Any luck with either of those?

Cheers - Bob

This is an old post but I wanted to reply that I was able to figure it out. As of today, 11/01/2016, Digicert still does not provide PKCS#12 certificates. So hopefully, it helps anyone out there that uses Digicert and has an UTM 9. 

I followed the firsts steps that BAlfson suggests, create a private key and a csr using openSSL.

Then I submitted the csr to Digicert and downloaded the individual .crt files (it 3 files in total for me) and combining them with BAlfson's cmdlets except without the <private key file name>.key. Like so:

cat cert1.crt cert2.crt cert3.crt > combined.crt

You can only run the above command on a Linux machine., by the way. I have a Windows workstation, had to look for Linux machine to run this.

After, I ran the following:

openssl pkcs12 -export -in <combined crt>.crt -inkey <private key file name>.key -out <your new cert>.p12

After you hit Enter on the above command, you will be asked to enter your private key's password and then create an export password. You will need to enter the export password on the UTM when you upload the .p12 certificate. 

I hope this helps! And thanks BAlfson for your guidance!

I was able to use a DigiCert cert without the use of OpenSSL.

I did this process a while ago, so the following is from memory and may have a few missteps as I last did this as a renewal not from scratch.

Also, there are likely different ways to get to the same places in the Sophos menu. I write the way I know to get to the options, your mileage may vary.

• Open the DigiCert Certificate Utility for windows
• If you are renewing a cert,  find it and highlight it.
• Click on the Create CSR link in the uppper right area
• If you are renewing, allow it to import the attributes
• Generate the CSR
• On the DigiCert site, login and click on the Request Cert tab
• Paste the CSR in the box
• Choose OTHER for the Server Platform
• Fill in the other boxes with values appropriate for your company and the duration of the cert.
• Submit the request
• When you receive the certificate, save it to your pc and unzip as necessary
• from within the DigiCert Certificate Utility, click on the Import link
• Import the key (just the key for your router, not the included Digicert CA keys) and verify it's in the list
• Once the key is listed in the DigiCert utility, select the key from the list, and choose Export Certificate
• Choose to export the private key as a pfx file and check the box to include all certs in the path
• Choose a complex password for the key and remember it
• Open the Sophos web admin site
• Click on the Webserver Protection / Certificate Management menus
• Click on + New Certificate
• Name the certificate something meaningful like WebAdmin site.
• Change method to: Upload
• Set file type to PKCS#12
• Browse for the file you exported.
• Enter the password you choose when exporting it.
• Click on Save
• Click on the Management / WebAdmin Settings menus
• Click on the HTTPS Certificate tab
• Pick the certificate from the drop down list of certificates and click on Apply

If you are doing this for the first time, you may also need to import the DigiCert CA certificates that came with your key in the zip file. If memory serves me right, you would do that in WebServer Protection / Certificate Management / Certificate Authorities

 

Thanks, Larry - an excellent contribution that will help the great majority of admins much better than my suggestion above!

Cheers - Bob

Hi Bob,

I downloaded the certs from DigiCert in one .pem files that contains all the certificates. However upon checking with DigiCert - it gives me the error "

The server is not sending the required intermediate certificate." Any thoughts on this?

Hi KM and welcome to the UTM Community!

Only that there's an intermediate certificate missing.  What does "checking with DigiCert" mean?

Cheers - Bob