Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 40 subscribers
  • Views 3285 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding a SSL Certificate (e.g. for the User Portal) does not work.

Markus Schneider

Hello. I would like to install a SSL Certificate for my User Portal to avoid a Certificate Warning in the Browser by accessing the User Portal via Internet (https).

I already know this Tutorial:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

 
I would like to access the Portal from this url (example): https://firewall.domain.de:4442

Followings Steps i did:

 I'm generating a CSR (like this example):

Do i have to receive an E-Mail with using the Certificate ID as E-Mail Type? I did not receive an E-Mail by the way.

Then I use the CSR to order a Comodo PositiveSSL Certificate.


After i received the PEM File from Comodo i would like to import the Cert.

I choose "Import" on the CSR and then choose the PEM File as "only Certificate" and Import it.

 

 

 

 

 

 

 
After the import i see the message, that the certficate is not valid or installed.

 

I can edit the Certficate and choose the PEM File once again.  By the Way, I don't have a Privat Key yet. Do i need the private Key? If yes, how do i generate/receive the private Key?

 

When i save the Certficate-Informations then the Certificate will still remain invalid.


Maybe someone has an advice, whats wrong or missing? Thanks alot!

 

BTW.: I am using a fresh installed, registered XG Version 18.0.5 MR-5



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Nafets

    Oh, you are right, missed the concept in the new one. 

    In MR5 and above, you have the CSR: 

    There is a option to download the CSR as PEM (or text). We killed the option to download the private key, as the private key is stored by the XG and actually does not have to leave the appliance for whatever reason. 

    If you got your PEM by the CA, you need to press the option on the left called "import". 

    It will give you the option to import the signed certificate based on this CSR. 

    If you upload the PEM to the appliance via the normal process of "Add certificate" it will not match to the CSR. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    But this is exactly the Way i did it in the first way...

    Now i have deleted the Certificate, that was active but that i couldnt see and choose for the Portals
    and created a new CSR-Request called "Portal-SSL":

    The key file, which is no longer directly downloadable via the Sophos Admin Portal, can be copied via SSH from  the following
    path: /conf/certificate/private/portal-ssl.key "

    With the new CSR i created/ordered a new Comodo SSL-Certifcate (as PEM File).

    By now i have the new PEM-File and the Key File from the XG via SSH/CLI.

    But what to do now? Do i Import the Certificate (PEM File) over the CSR Import Function?

    If i do it this i can only choose the PEM File but not the Key File.



    Or do i rather choose the way to add the Certificate via "Add Certificate"

    If i would do so, i could choose the Certificate (PEM File) and the Key File.

    Which Name i should choose? The same as the CSR? And which password?



    If this is the right way, why is there also an import Option for the CSR (without the Key File). And if the import Process is the right way,
    why it didnt work for me?

    I am pretty confused...

  • 0 in reply to Markus Schneider

    It should work by uploading the PEM provided by  the CA to the import option. Simply upload the PEM. The Key never leaves the firewall and is not required. The firewall holds the key. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Okay finally it works! :) Thanks for the help! 

    But before importing the Certifcate the 'Sectigo RSA Domain Validation Secure Server CA' has to be downloaded and installed under certificate authorities otherwise my SSL Certicate wont get active, right?

Unfiltered HTML