Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 11040 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Managing/Deleting SSL VPN User Certificates

EdwardMielcarek

Hello,

 

I've browsed the forums for a bit, and thought it might be more effective to just ask.  Everything I've seen deals with regenerating user certs and cert setup.

 

Is there a best-practice way to delete user certificates in UTM?

 

Example:  Company A has lost a few remote-capable employees recently.  They use AD sync for user authorization and authentication.  The company still needs to keep the former employee AD accounts active for access to user information (email, locally stored files, etc).

These user's passwords have been changed in the past, preventing unauthorized access.  The company is concerned however that the cached/stored SSL user certificates still exist on the UTM.

Can these SSL user certs just be deleted?

If not, would removing them from the VPN AD group remove their account (and certificate) from the UTM?

This pops up when trying to delete the cert from Remote Access > Certificate Management > <<Specific User Cert Action = Delete>>

Any information on how to gracefully remove user certificates from the UTM would be much appreciated.

 

Thanks!



This thread was automatically locked due to age.
  • +1

    Hi, Edward, and welcome to the UTM Community!

    If your SSL VPN Profile grants access to a Backend Group based on an AD Security Group, removing the user's account from that AD Group will prevent SSL VPN Access.  If the AD password was already changed, the ex-employee would not have been authorized for access after connecting to the UTM's SSL VPN login window.

    Deleting the User object in WebAdmin will also prevent access.  Once the User object has been deleted, you should be able to delete the associated cert without harassment from WebAdmin.  In any case, ignore it and delete away.

    My recommendation would be to delete the ex-employees' AD accounts from the AD Groups and to delete their User objects and certificates in WebAdmin.  If you have large numbers of current and former employees, there are some tricks to speed up the cleanup.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, thank you for your reply.  I wasn't able to find much on the process.

    I'll report any issues if I have any.

    Thanks again!

Unfiltered HTML