This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Austausch des selbst erstellten Zertifikats gegen ein öffentlich signiertes

Hi,

 

ich hab eine Frage zu austausch der SSL Zertifikate.

Hintergrund: Wir haben ein selbst signierstes Zertifikat , (nennen wir es mal mdm.blubb.de) dieses erfüllt nun nicht mehr den Richtlinien zu iOS13 sodass wir nun Probleme mit den iPhones haben.

Jetzt haben wir entschlossen ein öffentlich signiertes Zertifikat zu kaufen (mdm.blubb.de). Dieses habe ich nun unter "sophos einrichtung" SSL/TLS hochgeladen um das Zertifikat bekannt zu machen bevor ich es über den Zertifikats-wizard scharf zu schalten. 

Wie kann ich sicherstellen das alle bereits vorhandenen Geräte (iOS12 und Android9) das neue Zertifikat erhalten haben bzw es kennen bevor ich das Zertifikat umschalte.
Wenn ich auf Geräte klicke und bei Zertifikate schaue ist nur das selbst signierte gelistet. Das neue erscheint dort nicht. Dies ist bereits schon 2 Tage und immer noch nichts passiert.
Ist es möglich das ganze zu pushen ? oder schau ich vielleicht einfach nur falsch nach ? Wo sehe ich die Zertifikate bei Android ?

 

danke und gruß

Sascha



This thread was automatically locked due to age.
Parents
  • Hi  

    I'd would recommend you to go through this article. You need to activate the new certificate to make it available to devices.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • thank you for the information. But how/where can I check that the iPhone/android get the new certificate hash ?

     

    rgds

    Sascha

  • Hi  

    You can check on Sophos Mobile server if it is using a self-signed certificate you can use external SSL check tools like SSL Checker. If the Sophos Mobile server recognizes that a client app is not able to establish a connection, it will send out the certificate hash to the client app in question. The Sophos Mobile Control app should automatically receive the new certificate hash using the GCM and APNS protocol.

    Identifying problematic devices and possible solution

    If the above is given and the warning email is still sent out, the problematic devices have to be identified.
    To do this, the server.log can be searched for the following string: requested certificate hashes

    As a result, a logline similar to this should be found:

    WARN [com.sophos.mobilecontrol.server.clientapi.backend.app.v2.certhash.CertificateRequestCache] (default task-354) device with id 1234 has requested the certificate hashes 5 times

    Using the device ID the affected device can be looked up within the Sophos Mobile web console. To do this, follow the steps below.

    1. Log in to the Sophos Mobile customer which is used to manage devices
    2. Go to the Devices section and click on an Android device to show the details of the device
    3. Within the browser bar, change the ID to the one found in the log file
      1. If nothing is presented, repeat the procedure with an iOS device
    4. As soon a device is shown, try to send a message to the device via the Actions
    5. Together with the message, the device will also receive the list of the new certificate hashes.
    6. Once received, the connection should work again

    Let us know if you have any further concerns. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
Reply
  • Hi  

    You can check on Sophos Mobile server if it is using a self-signed certificate you can use external SSL check tools like SSL Checker. If the Sophos Mobile server recognizes that a client app is not able to establish a connection, it will send out the certificate hash to the client app in question. The Sophos Mobile Control app should automatically receive the new certificate hash using the GCM and APNS protocol.

    Identifying problematic devices and possible solution

    If the above is given and the warning email is still sent out, the problematic devices have to be identified.
    To do this, the server.log can be searched for the following string: requested certificate hashes

    As a result, a logline similar to this should be found:

    WARN [com.sophos.mobilecontrol.server.clientapi.backend.app.v2.certhash.CertificateRequestCache] (default task-354) device with id 1234 has requested the certificate hashes 5 times

    Using the device ID the affected device can be looked up within the Sophos Mobile web console. To do this, follow the steps below.

    1. Log in to the Sophos Mobile customer which is used to manage devices
    2. Go to the Devices section and click on an Android device to show the details of the device
    3. Within the browser bar, change the ID to the one found in the log file
      1. If nothing is presented, repeat the procedure with an iOS device
    4. As soon a device is shown, try to send a message to the device via the Actions
    5. Together with the message, the device will also receive the list of the new certificate hashes.
    6. Once received, the connection should work again

    Let us know if you have any further concerns. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
Children
No Data