Install Certificate (.cer)

Hello,

 

im trying to install a Cerficate on the XG firewall.

we generate a CSR file, and requested the Cerfificate. when i try to upload the certificate to sophos i receive an error.

 

first we go to system certificates

* choose upload certificate
* give it the name it should have, upload a .CER file en choose the private key its in the csr file.
* with no Password.

* press save. then the next fault will be shown.

 

hope someone can help me.

Greets Kevin

  • Kevin,

    make sure to import the CA and to import the Certificate using pkcs12 or PFX format as described here:

    https://community.sophos.com/products/xg-firewall/f/vpn/75396/godaddy-ssl-certificate-for-user-portal

    Regards

  • In reply to lferrara:

    ok, we did these steps only step 6 whe not sure of. we only have a got

    * geotrust global.cer

    *sophos.company.cer

    * trustprovider...cer

    i can convert the sophos.cer to a p7b file but not the pkcs12

    after import the p7b i got the following error message.

     

    1. openssl req -new -newkey rsa:2048 -nodes -keyout vpn.company.com.key -out vpn.company.com.csr
    2. You'll have to enter some information: Country Code, State, City, Org. Name, Org. Unit, Common Name, Email, Password and Company Name
    3. This will generate two files, vpn.company.com.key and vpn.company.com.csr
    4. Sign into GoDaddy and sign the vpn.company.com.csr
    5. Choose Other when you download the CRT files. It should provide you with a your signed GoDaddy.crt and their public gd_bundle.crt.
    6. openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in GoDaddy.crt -inkey vpn.company.com.key -out vpn.company.com.pkcs12 -name vpn.company.com -passout pass:password

     

    for the record im totally noob in this certificate thing.

    thnx in advance.

  • In reply to Kevin Paulusse:

    I started (and now resolved) this threed on same subject but different, but very similar!

    https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/95348/import-crt-certificate

    My first issue was, the XG firewall did not know about the goDaddy UK CA (Certificate Authority), so had to overcome that first. Then I had to find 'the key'. Fortunately, I had already completed successfully on my SEA (Sophos Email Appliance) and was able to export both the certificate and key.

    When you do export, you get a single .pem file, which contains both the cert and key (open in Notepad in windows and you can copy and paste the text out to 2 separate files.

    If I did not have the SEA, I would have been stuck, as there was no way from the 2 certs from goDaddy to get the 'key'.

    For you, I think you need to import the certificate to something (Windows IIS), to be able to export (backup) the cert and key.

  • In reply to Paul Digby:

    Goodmorning Paul,

    We have the, .key and .cer file right now.
    when i try to add the certificate, this shows up

    when i enter the .cer and .key file it asks for a password that we didnt enter at the request.
    for the record we dont have any certificates on the sophos yet.

    regards.

  • In reply to Kevin Paulusse:

    When I first generated the csr, I too did not type in a password anywhere.

    I just typed in a password and it seemed to accept the upload

  • Hey Kevin,

    I had some issues with this in the past, but I hope I can help clear some things up. Note - my certificates were made through an internal CA.

    • Imported my internal CA certificate into Sophos
    • When you generate the CSR, you should receive a tar.gz file
    • The key file to use is the one that was generated in the tar file (<cert name>.key)
    • The password to use to import the certificate you generate is in the tar file (Password.txt)
      • If you don't choose to encrypt the certificate in the CSR, the password should be blank. I had troubles with this, so I just made a password
    • I don't remember which format I exported the certificate as, but you should be able to try both with the above information fairly quickly.
  • In reply to DavidLaClair:

    litle bit late reply, but thnx we will try this. certificate is still not installed.

  • hello,

    hate to necro a two-year-old thread, but maybe it'll help some future searcher.

    i was having a similar issue, where the page was giving me the "Certificate could not be uploaded due to invalid private key or passphrase. Choose a proper key" message.

    in my case, it turns out that the .key file that i had been uploading was encoded as UTF-8-BOM. i changed it to just UTF-8, and then the xg took it without issue.