Using the same HTTPS Scanning CA on multiple XG Firewalls

Hi,

are the sites linked? Are there multiple domains involved? Do you use some form of AD for authentication? Will the certificate be setup for the customers domain?

Ian

Surprisingly, I believe you can, Ahmed.

I have two XG230s (on two sites) and the RootCertificate.pem that clients must download and install into their Trusted Root Authorities look exactly the same.

I'm guessing the private-key (the XGs use to sign your self-generated certificate) is the same.

Apologies, I believe you have to generate a self-signed certificate on each XG.

Certificates > Certificates > Add > Generate self-signed certificate

So, technically the certificate doing the encryption on each XG is different.

But the RootCertificate.pem that the clients need to install, and create the trust, is the same.

I'm a bit new to this myself so happy to be corrected if wrong.

Hi,

should be possible.

https://community.sophos.com/kb/en-us/123003

Use an external HTTPs CA and upload it to each XG. 

Cheers

rfcat_vk

The sites are not linked. I am asking about HTTPS Scanning CA that is used for HTTPS Decryption and Scanning in the policies, how is it related to the customer domain.

Mathew Edwards

The generated self-signed certificate can't be configured as HTTPS Scanning

Is it possible to export the CA from one XG and upload it to the others?

If not, how do I create a CA to use it for HTTPS Scanning and add it to all the XG Firewalls?

Any suggestions on how to achieve this?

Would like to suggest this as a solution.

How do I achieve this if I don't have Certificate Infrastructure?

Is it possible to copy the CA from one XG and upload to the other XG?

You can use OPSWAT which has multiscanning (SOPHOS included) to scan multiple instances within your network. This is true even if you have physical devices/proxies around the world.

Please explain what your post has to do with this thread?

Ian