Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
Hi, I have uploaded a CA from our organization, and would like to generate a certificate for the Sophos box using this CA. If I can use this certificate, I do not have to deploy the Sophos CA to all PCs.
Is that possible? Any tips?
Hi Pieter van Kampen
Please take a look at this KB article and the Related Information section for assistance. Here is also a useful thread post from one of our staff.
In reply to FloSupport:
Thanks, I find this confusing. The article says you can replace the CA with an external one. However, I was not able to use my CA for the HTTPs scanning. The blog post basically says (if I interprete it right), you can't, your stuck with the SophosCa.
So I am still confused.
For now, I make sure that the range of IP addresses assigned to Byod does not have any scanning, only the desktops in the DHCP range get Http(s) scanning.
In reply to Pieter van Kampen:
lets wrap up quickly:
Yes, you can use a self signed CA from a trusted domain like your Microsoft domain. https://community.sophos.com/kb/en-us/123003
No, you cannot "buy" a CA from any certificate vendor for HTTPs scanning.
In reply to LuCar Toni:
- browsers have a list of public CAs that they trust, managed by Microsoft, Firefox, etc
- you cannot purchase a CA
- you can have your own company CA, but you will need to install the CA on all browsers before they will trust it
- you can purchase from a Certificate Authority which your browsers already trust
- you can create your own "self-signed" certificates from your own Certificate Authority, but you will need to install the CA on all browsers before they will trust
On the XG, you can purchase a Certificate from a CA so that anyone who goes you myxg.mycompany.com does not get a warning.
On the XG, you can replace the default CA with your own CA if you are already using a CA to sign internal computers.
On any system, anywhere you cannot use a CA that has no browser installs or warnings. That would allow you to do man-in-the-middle HTTPS decryption on all clients without them knowing, which is exactly what HTTPS tries to prevent.
In reply to Michael Dunn:
Thanks, we do have a company CA, which is installed on all browsers.
I have imported it in the Certificate Authority list in the Sophos XG.
Then under Protect, Web, General Settings, I try to choose it as the HTTPS Scanning Certificate Authority CA, but there I can only choose SecurityApplicanc_SSL_CA or Default, but not my imported CA.
So I am doing something wrong. You mentioned
In the Certificate Authority list, there is a "Default" Ca, how can I replace that with my company CA?
This is an area that I only know a little about. I don't think it has changed in years and to be honest I'm not sure who the expert is. If I recall correctly last time that I looked at this it was a little finicky but I don't know the system's exact requirements. I know that about a month ago I created a self CA and imported it with PEM format.
What you are doing sounds correct. After it is in the Certificate Authority list, make sure it can display the details (Subject) and that it has a valid date range. After that, Web - General Settings is where you select it.
Perhaps trying a different format? Perhaps trying to create a new CA (so you can play with details) then using that (and if it works then try and determine the difference)?
Don't both with Default - that is for something else.
When you import your company CA, you must also import the private key and the password. Once that is done, it should show up as an available HTTPS Scanning Certificate Authority.
In reply to MichaelBolton:
MichaelBoltonWhen you import your company CA, you must also import the private key and the password. Once that is done, it should show up as an available HTTPS Scanning Certificate Authority.
I have distributed my company root certificate using a group policy, but was not able to import the CA, so I created a CSR and imported the subordinate including keys using the detailed instructions.
Just for reference to others, I needed an extra step for Microsoft Visual Studio and Git to work (Sync) on Windows:
Step 1, in the browser, select a certificate that uses the self signed root certificate, go to details, and Copy to File. Export in Base-64 encoded X.509 (.CER).
Step 2, open the file in notepad and copy contents to the clipboard
Step 3, open c:\\users\\<username>\\ca-bundle.crt and add the contents to the end of the file
The global git config file in c:\users\<username>\.gitconfig now has this:
[http] sslCAInfo = c:\\users\\<username>\\ca-bundle.crt sslCAPath = c:\\users\\<username>\\ sslVerify = true
Note if you do not have the ca-bunde.crt file in your root directory, copy it from