Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Installed new certificate and CA, but cannot select it to be used for admin login or user portal

I have added a wildcard certificate purchased from comodo to my certificate list, along with the CA. THe certificate shows the green checkbox under Authority in the certificate list. However when I navigate to "Administration > Admin settings" the only option I can choose under "Certificate" is ApplicanceCertificate. 

 

Also when I go to SSL VPN settings the only certificate I can select is ApplianceCertificate also. 

What step am I missing to use my proper certificate for the web portals?



This thread was automatically locked due to age.
Parents
  • Schlippety,

    make sure you upload the CA and all Intermediate CA before uploading the certificate.

    Regards

  • Thanks, I double checked that the 3 CAs provided by comodo were added, then deleted and re-added the certificate with the same result. I have the green check mark, but it doesn't show up in any of the lists to select as the certificate for vpn or admin portals. 

  • Did you upload the passphare?

    What format is the Certificate?

  • x.509 PEM format. I have tried with and without using my passphrase that used used during the CSR, no difference. Both generate the green checkmark, but fail to populate the dropdowns,  I've also rebooted the device. 

  • If you cannot select it, something is missing.

    Did you generate the CSR on XG or on outside?

    If you created the CSR somewhere else, you also need to upload the private key.

  • Yes, I did generate the CSR from the sophos interface

  • Delete everything and upload the CA and any intermediate CA then upload the CA.

    While you perform these steps, connect to XG advanced shell (option 5 >3 ) and type:

    tail -f /log/*.log | grep -i certificate

    Regards

  • Thanks, see below

     

    XG210_WP03_SFOS 17.5.10 MR-10# tail -f /log/*.log | grep -i certificate
    2020-03-16 14:51:58 19[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:53:02 30[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:53:41 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:02 27[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:28 18[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    [Mon Mar 16 14:54:28.610115 2020] [ssl:warn] [pid 7120:tid 4143356224] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Mon Mar 16 14:54:28.679292 2020] [ssl:warn] [pid 7120:tid 4143356224] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    WARNING: Skipping expired Certificate Equifax_Secure_CA.pem
    WARNING: Skipping expired Certificate STATIC_ValiCert_Inc_ValiCert_Class_2_Policy_Validation_Authority.pem
    WARNING: Skipping expired Certificate STATIC_VeriSign_Inc_VeriSign_Class_3_International_Server_CA_-_G3.pem
    WARNING: Skipping expired Certificate RSA_Root_Certificate_1.pem
    WARNING: Skipping expired Certificate Certplus_Class_2_Primary_CA.pem
    WARNING: Skipping expired Certificate STATIC_ValiCert_Inc_ValiCert_Class_1_Policy_Validation_Authority.pem
    WARNING: Skipping expired Certificate GeoTrust_Global_CA_2.pem
    WARNING: Skipping expired Certificate NetLock_Express_Class_C_Root.pem
    WARNING: Skipping duplicate certificate comodo-root.pem
    WARNING: Skipping expired Certificate Deutsche_Telekom_Root_CA_2.pem
    Key for read :certificateid
    'client_cert_file' => '/conf/certificate/myuser_170D4DEDFF2.pem',
    'client_key_file' => '/conf/certificate/private/myuser_170D4DEDFF2.key',
    2020-03-16 14:53:02 30[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:53:41 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:02 27[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:28 18[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    ********** Entity json validation log End FOR :16-3-2020 14:54:28 Objectname=system::certificate
    ==> /log/vpncertificate.log <==
    CA id for ApplianceCertificate.pem is :1
    caid for certificate mydomain-wildcard is :208

Reply
  • Thanks, see below

     

    XG210_WP03_SFOS 17.5.10 MR-10# tail -f /log/*.log | grep -i certificate
    2020-03-16 14:51:58 19[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:53:02 30[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:53:41 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:02 27[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:28 18[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    [Mon Mar 16 14:54:28.610115 2020] [ssl:warn] [pid 7120:tid 4143356224] AH01909: manage.cyberoam:65004:0 server certificate does NOT include an ID which matches the server name
    [Mon Mar 16 14:54:28.679292 2020] [ssl:warn] [pid 7120:tid 4143356224] AH01909: manage.cyberoam:65003:0 server certificate does NOT include an ID which matches the server name
    WARNING: Skipping expired Certificate Equifax_Secure_CA.pem
    WARNING: Skipping expired Certificate STATIC_ValiCert_Inc_ValiCert_Class_2_Policy_Validation_Authority.pem
    WARNING: Skipping expired Certificate STATIC_VeriSign_Inc_VeriSign_Class_3_International_Server_CA_-_G3.pem
    WARNING: Skipping expired Certificate RSA_Root_Certificate_1.pem
    WARNING: Skipping expired Certificate Certplus_Class_2_Primary_CA.pem
    WARNING: Skipping expired Certificate STATIC_ValiCert_Inc_ValiCert_Class_1_Policy_Validation_Authority.pem
    WARNING: Skipping expired Certificate GeoTrust_Global_CA_2.pem
    WARNING: Skipping expired Certificate NetLock_Express_Class_C_Root.pem
    WARNING: Skipping duplicate certificate comodo-root.pem
    WARNING: Skipping expired Certificate Deutsche_Telekom_Root_CA_2.pem
    Key for read :certificateid
    'client_cert_file' => '/conf/certificate/myuser_170D4DEDFF2.pem',
    'client_key_file' => '/conf/certificate/private/myuser_170D4DEDFF2.key',
    2020-03-16 14:53:02 30[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:53:41 14[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:02 27[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2020-03-16 14:54:28 18[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    ********** Entity json validation log End FOR :16-3-2020 14:54:28 Objectname=system::certificate
    ==> /log/vpncertificate.log <==
    CA id for ApplianceCertificate.pem is :1
    caid for certificate mydomain-wildcard is :208

Children