This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Certificate default or paid. safe?

hi im using ssl vpn with the sophos SSL cert. 

my question is do i loose security by using sophos cert and not a paid ssl cert?

doesn't Sophos use the same SSL cert on all firewalls? or do each firewall has it own self sign cert?



This thread was automatically locked due to age.
Parents
  • Hi David, Welcome to the Sophos Community.

    You don’t lose any security by using the Sophos Certificate.

    All the certificates on XG are singed by "Default CA" and these are distinct or each appliance with their own private key. Even if you generate the self-signed-cert from the appliance, It gets signed by the "Default CA" of that specific appliance.

    If you're concerned with the secure-error that you get when you attempt to access the firewall web-admin or captive portal or user portal, It is because the Appliance Certificate which is used for these portals is signed by the same private CA present on the firewall hence its not trusted by the browsers as they only trust well-known CAs.

    You can get rid of that Error using any Third-Party Certificate signed by a well-known CA or You can also generate a self-signed cert on the firewall with the same CN(Common Name) by which you access the firewall (Mostly IP addresses) and import the default CA into the end device to trust it.

    Hope this help :) 


    Devesh Mishra
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
Reply
  • Hi David, Welcome to the Sophos Community.

    You don’t lose any security by using the Sophos Certificate.

    All the certificates on XG are singed by "Default CA" and these are distinct or each appliance with their own private key. Even if you generate the self-signed-cert from the appliance, It gets signed by the "Default CA" of that specific appliance.

    If you're concerned with the secure-error that you get when you attempt to access the firewall web-admin or captive portal or user portal, It is because the Appliance Certificate which is used for these portals is signed by the same private CA present on the firewall hence its not trusted by the browsers as they only trust well-known CAs.

    You can get rid of that Error using any Third-Party Certificate signed by a well-known CA or You can also generate a self-signed cert on the firewall with the same CN(Common Name) by which you access the firewall (Mostly IP addresses) and import the default CA into the end device to trust it.

    Hope this help :) 


    Devesh Mishra
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, use the 'Verify Answer' link.
Children