Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS V18 breaks the Pocket Guide for using Digital Certificates in IPSEC VPN connections

i've noticed that in SFOS  V18 downloaded certs are now in CRT instead of PEM format. Strangely enough when you upload certificates into a V18 appliance it doesn't expect a CRT file. Additional work needs to be done with converters before it can be used. This is troublesome if you have many IPSEC site to site connections  on V18 appliances. and it doesn't quite follow this guide either https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-Site-to-Site-VPN-Connection-using-Digital-Certificates_2.pdf

It would be good if V18 cert download  behavior matches v17.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    which certificates are you trying to download?

    My XG self signed down loads as a CRT, the XG default downloads as a PEM, One other XG CA downloads as a TAR.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello John,

    Adding to what has been mentioned.

    If you download a Certificate from the Certificates, it’ll download as .crt but it’s encoded with PEM. so you can simply change the extension to .pem

    If you Download the Default Certificate from the Certificate Authorities it will download a .tar file that contains a .pem and .der

    If you Download the SecurityAppliance_SSL_CA it will be downloaded as a .pem

    Regards


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Ok. Thanks for the clarification. And yes I am downloading self signed certs as per the guide. Do hope Sophos can standardize the behavior to avoid confusion. Also just got an email which basically is telling people XG is coming to an end in a few more years.... Product lifecycle seems to be getting shorter and shorter which I assume ultimately is to boost sales under the guise of providing more performance and security .

  • they are moving to XGS.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yeap can see that. My customers who just migrated from Cyberoam to XG this year are absolutely thrilled to learn their purchase will not have any renewable support after 2023.

  • I expect you will find the new XGS software will run on some of the older boxes. Not XG 85 or 86 or 105 or 106.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • That'd be the absolute last resort provided Sophos officially allows them  to renew subscriptions for those after 2023. Our experience with Cyberoam has taught us it'd be a lot safer not to expect that  though... hence the 'thrill' stemming from this recent memo.