This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V18.5.1 appears to have a bug in CA generation

Hi folks,

recently my local CA expired and is now causing me grief on all my Apple devices using MAC mail.

The errors vary from not suitable for pinning to the site you are connecting to is unsafe or not recognised. The errors are affecting both SMTPS and Imaps. For the moment while I try to resolve the issue I have disabled smtps scanning.

I have tried to generate a new CA on the XG with a 12 month life similar to the one that expired except the export process does not work and the exported car is not recognised. I have tried renaming the CER, modified it settings but the same error persists. Also Iwhen exporting I see the encoded certificate displayed which all seems wrong to me.

The export message is

The exported file 

The result is I cannot generate a local CA of any use.


This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember 3 months ago

    Hey Ian, 

    Did you mean you're trying to re-generate any of the in-built CA (Certificate Authorities) or did you create a Self Signed Certificate on the Firewall and trying to install it in the Mac systems along with the Built-in CA? 

    Usually if you're trying to download the self-signed certificate, it will be in .cer format 

  • Hi,

    I am trying to download a self signed CA and yes it is normally a .cer as in this case, but the format is wrong. When displayed in the XG it is correct, but the apple devices reject the format as invalid, so that means the export process is broken.


  • There is something very wrong with the xg mail security. Various mail accounts cannot connect the rsp mail server because the XG insists the password or user Id is wrong. When removed from the XG network the same mail accounts work correctly.

    I will have to disable imaps scanning to overcome this issue, not that imaps scanning is of much use considering the amount of spam that gets through.


  • Not sure, if the import process of ios changed in the last version (ios15) but as far as i know, a .cer should be perfectly fine to import into a device. So if you get the .cer it should be fine from a firewall perspective. 

    Keep in mind, literally no business customer uses imaps. This is likely only used by home users. Therefore there is not much business use cases and not much customers uses this feature. So you do not have much spotlight from the business folks on this feature.

    But you export the CA for scanning in the same manner. And this should work in the same way and is the same certificate. And as far as i know, there seems to be no issue right now. 


  • The issue being the export file name is meaningless. I think you will find a number of small businesses use IMAP?

    the issue is not only imap it also affects smtps scanning which i have disabled while waiting for a fix with the ca name.

     This issue has only arisen since the ca expired.


  • Actually no. Most small business migrated long ago to Office365 and stop using IMAP and those stuff. They migrated everything to the o365 cloud and also the cloud. Much easier to interact and maintain compared to having a free email etc. 

    About your issue. So your CA in the XG is/was expired? Because the Scanning CA is still valid until 2036, as far as i can see. Which certificate do you use? 


  • I was using one I created that met pinning requirements.

    I will have to move all to the XG ca, but experience with one the rsp mail accounts the XG does not trust the smtp servers  where I was able to get imap working.


  • Actually this should not the be case. The Firewall should offer a Cert, which meets the requirements of a Apple device. 

    The trick is:

    Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

    The certificate of SFOS is issued for 01.08.2015, hence not required to be only 3 years expiration.

    Try the Sophos SSL CA, you find in CAs, import it and use the same for IMAP/SMTPs.

    The firewall itself will generate a certificate for each and every connection with this CA. This certificate is used for the connection and needs to meet the standards of 3 years expiration, but we are doing this per connection as well, but the CA does not require this. 


  • Thank you for the explanation.  have reinstalled the XG CA and at this stage all appear to be working correctly which is completely different to the last time I tried using that CA.

    There is still a bug in the download process of the local generated CA if you review my original post in this thread.


    just to make life extra difficult, one rsp changed their mail server security settings.

  • One RSP does not work. Further investigation tomorrow. Something  about the certificate expiring but that certificate has been deleted.