This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Signing Certificate loses chain when imported

I've just set up Decrypt and Scan for HTTP traffic on a UTM 9.509-3 box, and I'm having some trouble with the certificate that the UTM uses to sign the response back to the client.

Under Web Protection -> Filtering Options -> HTTPS CAs -> Verification CAs, I've successfully imported the public certificate of my Active Directory Intermediate Certificate Authority.  As I understand, that means the UTM trusts any certificate signed by that CA now.

I've then used the same Intermediate CA to generate a Subordinate Certificate authority certificate, exported it in PKCS#12 format along with the Private key, and uploaded it to the UTM under Web Protection -> Filtering Options -> HTTPS CAs -> Signing CA.  All seems to work OK, so far so good.

However, now when browsing HTTPS sites, the certificate generated by the UTM doesn't have any chain attached to it, so the client thinks it's an untrusted certificate.

 

Have I missed something in the configuration?



This thread was automatically locked due to age.
Parents
  • I don't see that this problem can be avoided.   

    The client expects the received chain to include everything except the root certificate.   UTM assumes that it IS the root certificate, so it does not send its signing certificate.   Unless the UTM signing certificate has been pushed to the desktop devices, the certificate chain appears incomplete.   If you have to push the UTM signing certificate to every PC anyway, there is no advantage over using the UTM-generated root certificate.

    For commercial certificates, the browsers use AIA fetching to find missing intermediate certificates.   UTM is not going to generate an impersonation certificate with that information, because it thinks it is issuing from a root certificate already (and the code to include AIA information has probably never been attempted.) 

Reply
  • I don't see that this problem can be avoided.   

    The client expects the received chain to include everything except the root certificate.   UTM assumes that it IS the root certificate, so it does not send its signing certificate.   Unless the UTM signing certificate has been pushed to the desktop devices, the certificate chain appears incomplete.   If you have to push the UTM signing certificate to every PC anyway, there is no advantage over using the UTM-generated root certificate.

    For commercial certificates, the browsers use AIA fetching to find missing intermediate certificates.   UTM is not going to generate an impersonation certificate with that information, because it thinks it is issuing from a root certificate already (and the code to include AIA information has probably never been attempted.) 

Children
  • Thanks both for your replies.

     

    This seems very odd, on other proxies I've used (including the Sophos XG), on the fly certificate generation for SSL Decryption/Interception/Scanning is done by certifying the device as an Intermediate CA, so that clients trust the root CA which authorised it to sign certificates on it's behalf.

     

    If it's the case that the UTM assumes it's always the root CA rather than a subordinate CA, why is there the option to upload a certificate generated from an external CA as the signing certificate?

     

    I couldn't find any documentation on how to set this up in UTM.  What is the official method for signing Decrypted and Scanned HTTPS traffic?  Since I already have a CA which my clients trust, I'd prefer to avoid having to install a second trusted root certificate.

  • IIRC you can use the intermediate CA for signing - but you still need to upload the root CA onto the UTM.  Rather that using PKCS  format (that should include the chain) try uploading each part of the chain separately.

     

    Here is an article for XG.  As far as I know, UTM supports similar.

    https://community.sophos.com/kb/en-us/127885

  • It's been awhile since I've done it with the UTM, Michael, but my recollection is that loading the items separately wasn't handled correctly by WebAdmin and the configuration daemon.  I think he should open a case with Support.  I actually think he overestimates the difficulty of distributing the UTM's Proxy CA as it's easy with a GPO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA