This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding a SSL Certificate (e.g. for the User Portal) does not work.

Hello. I would like to install a SSL Certificate for my User Portal to avoid a Certificate Warning in the Browser by accessing the User Portal via Internet (https).

I already know this Tutorial:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

I would like to access the Portal from this url (example): https://firewall.domain.de:4442

Followings Steps i did:

I'm generating a CSR (like this example):

Do i have to receive an E-Mail with using the Certificate ID as E-Mail Type? I did not receive an E-Mail by the way.

Then I use the CSR to order a Comodo PositiveSSL Certificate.

After i received the PEM File from Comodo i would like to import the Cert.

I choose "Import" on the CSR and then choose the PEM File as "only Certificate" and Import it.

After the import i see the message, that the certficate is not valid or installed.

I can edit the Certficate and choose the PEM File once again. By the Way, I don't have a Privat Key yet. Do i need the private Key? If yes, how do i generate/receive the private Key?

When i save the Certficate-Informations then the Certificate will still remain invalid.

Maybe someone has an advice, whats wrong or missing? Thanks alot!

BTW.: I am using a fresh installed, registered XG Version 18.0.5 MR-5

This thread was automatically locked due to age.

Top Replies

FormerMember over 2 years ago +2 suggested

Hi Markus Schneider , Thank you for reaching out to Sophos Community. Did you try to import ' Sectigo RSA Domain Validation Secure Server CA' under certificate authorities? Knowledge: How to Download…

Parents

0 FormerMember over 2 years ago

Hi Markus Schneider,

Thank you for reaching out to Sophos Community.

Did you try to import 'Sectigo RSA Domain Validation Secure Server CA' under certificate authorities?

Knowledge: How to Download & Install Sectigo Intermediate Certificates - RSA
Cancel
Vote Up +2 Vote Down

Cancel
0 Markus Schneider over 2 years ago in reply to FormerMember

No i did not. Is this part of the usual process to create a CSR for a SSL Certificate and to import the PEM File/Certificate to the XG?
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Schneider over 2 years ago in reply to Markus Schneider

I just installed that "Sectigo RSA CERT" and now my SSL Certificate seems to be valid.

How comes?

Now i got another Problem.... ;)

How can i add this Certificate to the Admin- and User Portal?
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to Markus Schneider

Yes, you can generate CSR on XG and can provide it to any 3rd party CA to get the user certificate. Once you import the user certificate on XG, the certificate will be signed/trusted by the CA(default CA list or 3rd party CA imported).
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 2 years ago in reply to Markus Schneider

I'd suggest to redo the process once.

Generate CSR > get the user certificate from Comodo > Import 'Sectigo RSA Domain Validation Secure Server CA' and at last import user certificate(PEM) received from comodo on CSR
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Schneider over 2 years ago in reply to FormerMember

Thanks for your help!

I did the process again... The Certificate is visible under certificates and seems to be activated.

But still its not possible to choose this certificate for the Admin and User Portal:

Just the "ApplianceCertifcate" appears...
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Markus Schneider

You are missing the privat key, isnt it? Did you get a private key? without private key, the appliance cannot "use" the certificate for own usage.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 2 years ago in reply to Markus Schneider

You are missing the privat key, isnt it? Did you get a private key? without private key, the appliance cannot "use" the certificate for own usage.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Markus Schneider over 2 years ago in reply to LuCar Toni

Yes i dont have a private Key. Where do i find/get the private Key?

I read that if i create the CSR on the XG, that i dont need to import the private Key?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Markus Schneider

The CSR will generate a cert with private key. You should get this from your CA. If not, you will not have the the option to use the certificate at all.

certs without private key are to validate the certificate, not to use them.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Schneider over 2 years ago in reply to LuCar Toni

I generated the CSR in the XG so the XG should be my CA, isnt it? Where do i find the private Key in the CA of the XG or get the key from the XG?

Or what is the easiest way to get a SSL Certificate for the Admin/User Portal?
Cancel
Vote Up 0 Vote Down

Cancel
0 Nafets over 2 years ago in reply to Markus Schneider
Hi. According to the manual you should have had the possibility to download the private.key, after you created the CSR.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificateSigningRequestGenerate.html

> Download the CSR using the download button.

> The download button is highlighted below.

> Your downloaded CSR package should include the:

CSR in .csr format.

Private key in .key format.

Password in .txt format.

The contents of the CSR are shown below, your own file names will match those entered in the certificate details section previously.

Did you download the package?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Nafets
This changed after V18.0 MR5 due compliance issues.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

Certificate signing requests (CSRs) and certificates

Streamlined forms and multiple SANs: Updated the forms for creating CSRs and certificates to allow more flexibility in adding Subject Alternative Names using DNS names and IP addresses, and removed unnecessary inputs.

Security enhancements: Addressed security concerns by preventing the download of private key material for CSRs and locally-signed certificates.

Upload, download, import: Provided new dialog boxes to allow CSR retrieval, and certificate upload for signing certificates (CAs) and leaf certificates. The boxes allow you to copy-paste PEM format certificates in addition to the DER, PKCS and PEM file transfer.

Locally-signed certificates: Self-signed certificates have been renamed locally-signed certificates.

Download format: CSRs and certificates can be downloaded as .csr and .crt files, respectively. They can't be downloaded as tar.gz files any longer.

Certificate with CA: Provided the option to add the certificate's CA to the CA list, using the same name when importing certificates with CA.

Workflow: Improvements to workflows and lists to make certificate management more intuitive.
__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Nafets over 2 years ago in reply to LuCar Toni

Thanks Luca. But how the customer is now getting the private key in order to use it on another server?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Nafets

You do not need a private key for a CSR. CAs can generate all information with the CSR provided by the XG. There is no need to export the private key on this step.

https://www.globalsign.com/en/blog/what-is-a-certificate-signing-request-csr

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Cancel
0 Nafets over 2 years ago in reply to LuCar Toni

Yes, but with the CSR, you get the privat key of the certificate, which you get from your CA.
And then, you want to use this certificate on your internal server, you need the certificate from the CA and the corresponding private key file you generated on CSR creation - right?
Cancel
Vote Up 0 Vote Down

Cancel
0 Markus Schneider over 2 years ago in reply to Nafets

There has not been a Key File neither a password if you download the File after creating a CSR. Just the CSR Request Code.
But you dont really need to download that because you can simply copy/paste it.

So how do i find the private Key for that CSR and how do i use it to finally select the generated Certificate for the Portal?
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to Markus Schneider

You do not need a private key for a CSR.

You need to figure out, how to download the Key from your CA website. CSR is used to generate a Certificate + Private key. The private key and Cert is provided by your CA and not XG:

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Adding a SSL Certificate (e.g. for the User Portal) does not work.

Top Replies

Certificate signing requests (CSRs) and certificates