Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 40 subscribers
  • Views 3222 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding a SSL Certificate (e.g. for the User Portal) does not work.

Markus Schneider

Hello. I would like to install a SSL Certificate for my User Portal to avoid a Certificate Warning in the Browser by accessing the User Portal via Internet (https).

I already know this Tutorial:

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/tasks/CertificatesSigningRequestGenerate.html

 
I would like to access the Portal from this url (example): https://firewall.domain.de:4442

Followings Steps i did:

 I'm generating a CSR (like this example):

Do i have to receive an E-Mail with using the Certificate ID as E-Mail Type? I did not receive an E-Mail by the way.

Then I use the CSR to order a Comodo PositiveSSL Certificate.


After i received the PEM File from Comodo i would like to import the Cert.

I choose "Import" on the CSR and then choose the PEM File as "only Certificate" and Import it.

 

 

 

 

 

 

 
After the import i see the message, that the certficate is not valid or installed.

 

I can edit the Certficate and choose the PEM File once again.  By the Way, I don't have a Privat Key yet. Do i need the private Key? If yes, how do i generate/receive the private Key?

 

When i save the Certficate-Informations then the Certificate will still remain invalid.


Maybe someone has an advice, whats wrong or missing? Thanks alot!

 

BTW.: I am using a fresh installed, registered XG Version 18.0.5 MR-5



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Did you try to import 'Sectigo RSA Domain Validation Secure Server CA' under certificate authorities?

    Knowledge: How to Download & Install Sectigo Intermediate Certificates - RSA

  • 0 in reply to FormerMember

    No i did not. Is this part of the usual process to create a CSR for a SSL Certificate and to import the PEM File/Certificate to the XG?

  • 0 in reply to LuCar Toni

    Thanks Luca. But how the customer is now getting the private key in order to use it on another server?

  • 0 in reply to Nafets

    You do not need a private key for a CSR. CAs can generate all information with the CSR provided by the XG. There is no need to export the private key on this step. 

    https://www.globalsign.com/en/blog/what-is-a-certificate-signing-request-csr

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, but with the CSR, you get the privat key of the certificate, which you get from your CA.
    And then, you want to use this certificate on your internal server, you need the certificate from the CA and the corresponding private key file you generated on CSR creation - right?

  • 0 in reply to Nafets

    There has not been a Key File neither a password if you download the File after creating a CSR. Just the CSR Request Code.
    But you dont really need to download that because you can simply copy/paste it.

    So how do i find the private Key for that CSR and how do i use it to finally select the generated Certificate for the Portal?

  • 0 in reply to Markus Schneider

    You do not need a private key for a CSR.

    You need to figure out, how to download the Key from your CA website. CSR is used to generate a Certificate + Private key. The private key and Cert is provided by your CA and not XG: 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Sorry, but i think you are wrong. The owner of a certificate creates the private key file in csr creation process locally! It would be a very high security risk, if a CA has all the private keys from their customer certificates! 

  • 0 in reply to Nafets

    Oh, you are right, missed the concept in the new one. 

    In MR5 and above, you have the CSR: 

    There is a option to download the CSR as PEM (or text). We killed the option to download the private key, as the private key is stored by the XG and actually does not have to leave the appliance for whatever reason. 

    If you got your PEM by the CA, you need to press the option on the left called "import". 

    It will give you the option to import the signed certificate based on this CSR. 

    If you upload the PEM to the appliance via the normal process of "Add certificate" it will not match to the CSR. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    But this is exactly the Way i did it in the first way...

    Now i have deleted the Certificate, that was active but that i couldnt see and choose for the Portals
    and created a new CSR-Request called "Portal-SSL":

    The key file, which is no longer directly downloadable via the Sophos Admin Portal, can be copied via SSH from  the following
    path: /conf/certificate/private/portal-ssl.key "

    With the new CSR i created/ordered a new Comodo SSL-Certifcate (as PEM File).

    By now i have the new PEM-File and the Key File from the XG via SSH/CLI.

    But what to do now? Do i Import the Certificate (PEM File) over the CSR Import Function?

    If i do it this i can only choose the PEM File but not the Key File.



    Or do i rather choose the way to add the Certificate via "Add Certificate"

    If i would do so, i could choose the Certificate (PEM File) and the Key File.

    Which Name i should choose? The same as the CSR? And which password?



    If this is the right way, why is there also an import Option for the CSR (without the Key File). And if the import Process is the right way,
    why it didnt work for me?

    I am pretty confused...

  • 0 in reply to Markus Schneider

    It should work by uploading the PEM provided by  the CA to the import option. Simply upload the PEM. The Key never leaves the firewall and is not required. The firewall holds the key. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Okay finally it works! :) Thanks for the help! 

    But before importing the Certifcate the 'Sectigo RSA Domain Validation Secure Server CA' has to be downloaded and installed under certificate authorities otherwise my SSL Certicate wont get active, right?

Reply Children
No Data
Unfiltered HTML