Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding a SSL Certificate (e.g. for the User Portal) does not work.

Markus Schneider

Hello. I would like to install a SSL Certificate for my User Portal to avoid a Certificate Warning in the Browser by accessing the User Portal via Internet (https).

I already know this Tutorial:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

 
I would like to access the Portal from this url (example): https://firewall.domain.de:4442

Followings Steps i did:

 I'm generating a CSR (like this example):

Do i have to receive an E-Mail with using the Certificate ID as E-Mail Type? I did not receive an E-Mail by the way.

Then I use the CSR to order a Comodo PositiveSSL Certificate.


After i received the PEM File from Comodo i would like to import the Cert.

I choose "Import" on the CSR and then choose the PEM File as "only Certificate" and Import it.

 

 

 

 

 

 

 
After the import i see the message, that the certficate is not valid or installed.

 

I can edit the Certficate and choose the PEM File once again.  By the Way, I don't have a Privat Key yet. Do i need the private Key? If yes, how do i generate/receive the private Key?

 

When i save the Certficate-Informations then the Certificate will still remain invalid.


Maybe someone has an advice, whats wrong or missing? Thanks alot!

 

BTW.: I am using a fresh installed, registered XG Version 18.0.5 MR-5



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Did you try to import 'Sectigo RSA Domain Validation Secure Server CA' under certificate authorities?

    Knowledge: How to Download & Install Sectigo Intermediate Certificates - RSA

    • 0 in reply to FormerMember

      No i did not. Is this part of the usual process to create a CSR for a SSL Certificate and to import the PEM File/Certificate to the XG?

      • 0 in reply to Markus Schneider

        I just installed that "Sectigo RSA CERT" and now my SSL Certificate seems to be valid. 



        How comes?

        Now i got another Problem.... ;)

        How can i add this Certificate to the Admin- and User Portal?



        • FormerMember
          0 FormerMember in reply to Markus Schneider

          Yes, you can generate CSR on XG and can provide it to any 3rd party CA to get the user certificate. Once you import the user certificate on XG, the certificate will be signed/trusted by the CA(default CA list or 3rd party CA imported).

          • FormerMember
            0 FormerMember in reply to Markus Schneider

            I'd suggest to redo the process once.

            Generate CSR > get the user certificate from Comodo > Import 'Sectigo RSA Domain Validation Secure Server CA' and at last import user certificate(PEM) received from comodo on CSR

            • 0 in reply to FormerMember

              Thanks for your help!

              I did the process again... The Certificate is visible under certificates and seems to be activated.

              But still its not possible to choose this certificate for the Admin and User Portal:

              Just the "ApplianceCertifcate" appears...

              • 0 in reply to Markus Schneider

                You are missing the privat key, isnt it? Did you get a private key? without private key, the appliance cannot "use" the certificate for own usage. 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  Yes i dont have a private Key. Where do i find/get the private Key?

                  I read that if i create the CSR on the XG, that i dont need to import the private Key?

                  • 0 in reply to Markus Schneider

                    The CSR will generate a cert with private key. You should get this from your CA. If not, you will not have the the option to use the certificate at all. 

                    certs without private key are to validate the certificate, not to use them. 

                    __________________________________________________________________________________________________________________

                    • 0 in reply to LuCar Toni

                      I generated the CSR in the XG so the XG should be my CA, isnt it? Where do i find the private Key in the CA of the XG or get the key from the XG?

                      Or what is the easiest way to get a SSL Certificate for the Admin/User Portal?

                      • 0 in reply to Markus Schneider

                        Hi. According to the manual you should have had the possibility to download the private.key, after you created the CSR.

                        https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificateSigningRequestGenerate.html

                        > Download the CSR using the download button.

                        > The download button is highlighted below.


                        > Your downloaded CSR package should include the:

                        • CSR in .csr format.
                        • Private key in .key format.
                        • Password in .txt format.

                        The contents of the CSR are shown below, your own file names will match those entered in the certificate details section previously.

                        Did you download the package?

                        • 0 in reply to Nafets

                          This changed after V18.0 MR5 due compliance issues. 

                          https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

                          Certificate signing requests (CSRs) and certificates

                          • Streamlined forms and multiple SANs: Updated the forms for creating CSRs and certificates to allow more flexibility in adding Subject Alternative Names using DNS names and IP addresses, and removed unnecessary inputs.
                          • Security enhancements: Addressed security concerns by preventing the download of private key material for CSRs and locally-signed certificates.
                          • Upload, download, import: Provided new dialog boxes to allow CSR retrieval, and certificate upload for signing certificates (CAs) and leaf certificates. The boxes allow you to copy-paste PEM format certificates in addition to the DER, PKCS and PEM file transfer.
                          • Locally-signed certificates: Self-signed certificates have been renamed locally-signed certificates.
                          • Download format: CSRs and certificates can be downloaded as .csr and .crt files, respectively. They can't be downloaded as tar.gz files any longer.
                          • Certificate with CA: Provided the option to add the certificate's CA to the CA list, using the same name when importing certificates with CA.
                          • Workflow: Improvements to workflows and lists to make certificate management more intuitive.

                          __________________________________________________________________________________________________________________