We'd love to hear about it! Click here to go to the product suggestion community
Hello Team ,
would you please help to setup CA on firewall .
1.why we need to configure every single user with CA?
2. I have follow document of xg firewall for CA .but no luck
Installed configured CA in chrome but its showing me un trusted why thats happen any tool debug it ?
XG is performing a man in the middle attack to inspect HTTPs traffic.
It is common practice to do this kind of attack.
In this case the client does not like to have a man in the middle. So he informs the user, there is something odd - This is your untrusted website.
Now chrome access the windows cert store. Do you installed it as a trusted root ca? and which ca did you use?
In reply to ManBearPig:
Yes I did it trusted default sophos CA.
In reply to fahad noor:
There are 2 CAs on XG. Default and SSL. You use SSL for the SSL Decryption.
yes ssl one .
At the user's windows we need to login xg firewall page and down the certificate then add it in trusted root .
can we push this activity from remotely ?
Hi, check out this post:
Install the UTM-generated SSL certificate into your systems. Like this: https://community.sophos.com/kb/en-us/115315#How%20to%20deploy%20the%20Proxy%20CA - note that using the Active Directory deployment method doesn't cover Firefox because years ago Firefox divorced it's certificate management from Windows and there is no "easy" way to deploy that certificate on a mass scale - unless someone has access to GPO templates that include the Firefox certificate store since the last time I looked for some.
The steps in that article are a bit light on how to do that AD import, but this article for their web gateway applies https://community.sophos.com/kb/en-us/42153#GPMC - just use the cert you download from the AD step in the previous article in step 8 from this link to the "Installing the CA with Group Policy Using the Group Policy Management Console (GPMC)" procedure.
My installation only has one certificate, the default. Home do I get the other?
In reply to Donald Schlicht:
Can you post a screenshot please?
Here is the screen shot:
This is your appliance certificate.
You need to import the CA (Certificate Authority)
Ok how do I import the certificate authority?
Simple download it and upload it to the clients.
You will find more details here: