Replace HTTPS Scanning Certificate Authority (CA)

 Hi, I have uploaded a CA from our organization, and would like to generate a certificate for the Sophos box using this CA. If I can use this certificate, I do not have to deploy the Sophos CA to all PCs. 

 

Is that possible? Any tips?

 

Pieter

  • Hi  

    Please take a look at this KB article and the Related Information section for assistance. Here is also a useful thread post from one of our staff.

    Regards,

  • In reply to FloSupport:

    Thanks, I find this confusing. The article says you can replace the CA with an external one. However, I was not able to use my CA for the HTTPs scanning. The blog post basically says (if I interprete it right), you can't, your stuck with the SophosCa.

    So I am still confused.

    For now, I make sure that the range of IP addresses assigned to Byod does not have any scanning, only the desktops in the DHCP range get Http(s) scanning.

  • In reply to Pieter van Kampen:

    Hi,

    lets wrap up quickly:

    Yes, you can use a self signed CA from a trusted domain like your Microsoft domain. https://community.sophos.com/kb/en-us/123003

    No, you cannot "buy" a CA from any certificate vendor for HTTPs scanning.

    Cheers

  • In reply to ManBearPig:

    Certificate Authority

    - browsers have a list of public CAs that they trust, managed by Microsoft, Firefox, etc

    - you cannot purchase a CA

    - you can have your own company CA, but you will need to install the CA on all browsers before they will trust it

     

    Certificate

    - you can purchase from a Certificate Authority which your browsers already trust

    - you can create your own "self-signed" certificates from your own Certificate Authority, but you will need to install the CA on all browsers before they will trust

     

    On the XG, you can purchase a Certificate from a CA so that anyone who goes you myxg.mycompany.com does not get a warning.

    On the XG, you can replace the default CA with your own CA if you are already using a CA to sign internal computers.

     

    On any system, anywhere you cannot use a CA that has no browser installs or warnings.  That would allow you to do man-in-the-middle HTTPS decryption on all clients without them knowing, which is exactly what HTTPS tries to prevent.

     

  • In reply to Michael Dunn:

    Thanks, we do have a company CA, which is installed on all browsers.

     

    I have imported it in the Certificate Authority list in the Sophos XG.

    Then under Protect, Web, General Settings, I try to choose it as the HTTPS Scanning Certificate Authority CA, but there I can only choose SecurityApplicanc_SSL_CA or Default, but not my imported CA.

     

    So I am doing something wrong. You mentioned 

     

    On the XG, you can replace the default CA with your own CA if you are already using a CA to sign internal computers.

    In the Certificate Authority list, there is a "Default" Ca, how can I replace that with my company CA?

  • In reply to Pieter van Kampen:

    Hi Peiter,

    This is an area that I only know a little about.  I don't think it has changed in years and to be honest I'm not sure who the expert is.  If I recall correctly last time that I looked at this it was a little finicky but I don't know the system's exact requirements.  I know that about a month ago I created a self CA and imported it with PEM format.

    What you are doing sounds correct.  After it is in the Certificate Authority list, make sure it can display the details (Subject) and that it has a valid date range.  After that, Web - General Settings is where you select it.

    Perhaps trying a different format?  Perhaps trying to create a new CA (so you can play with details) then using that (and if it works then try and determine the difference)?

     

    Don't both with Default - that is for something else.

  • In reply to Michael Dunn:

    Hi Peiter,

    When you import your company CA, you must also import the private key and the password. Once that is done, it should show up as an available HTTPS Scanning Certificate Authority.

    Mike

  • In reply to MichaelBolton:

    MichaelBolton

    When you import your company CA, you must also import the private key and the password. Once that is done, it should show up as an available HTTPS Scanning Certificate Authority.
     
    Thanks Michael.
    I had forgotten that you could upload a CA without the private key - so I didn't think of suggesting that.  In XG the page does double duty.
    If you upload a CA without the private key then it is trusted as a CA for sites you visit (where the site has a certificate from that CA).
    If you upload a CA with the private key then you can also use that CA to sign your own certificates that the XG creates.

    If you don't want to put in your company's CA and private key, you can have XG create a CSR (Certificate Signing Request), then use your company CA to create a Subordinate Certificate Authority based on that CSR.  You are basically creating a new CA for the XG, signed by your company CA.  The new subordinate CA can be uploaded (with its private key) to the XG.  That way you keep your company CA and private key seperate from the XG.  However all clients that have the company CA installed should trust the certificates created by the XG, since they are created by a CA that was created by the company CA.
     
    More detailed instructions here:
    community.sophos.com/.../127885
  • In reply to Michael Dunn:

    Thanks all!

    I have distributed my company root certificate using a group policy, but was not able to import the CA, so I created a CSR and imported the subordinate including keys using the detailed instructions. 

  • In reply to Pieter van Kampen:

    Just for reference to others, I needed an extra step for Microsoft Visual Studio and Git to work (Sync) on Windows:

    Step 1, in the browser, select a certificate that uses the self signed root certificate, go to details, and Copy to File. Export in Base-64 encoded X.509 (.CER).

    Step 2, open the file in notepad and copy contents to the clipboard

    Step 3, open c:\\users\\<username>\\ca-bundle.crt and add the contents to the end of the file

    The global git config file in c:\users\<username>\.gitconfig now has this:

    [http]
    sslCAInfo = c:\\users\\<username>\\ca-bundle.crt
    sslCAPath = c:\\users\\<username>\\
    sslVerify = true

     

    Note if you do not have the ca-bunde.crt file in your root directory, copy it from 

    C:\Program Files\Git\mingw64\ssl\certs