This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CSR Certificate Help

Good Morning!

Dear Sophos Community,

Could you help me to understand about an issue,

We are following a sophos KB support.sophos.com/.../KB-000041071
 
Which shows us how to generate the CSR certificate to be sent to the CA for signature, so far so good.

The data that we must put in the certificate would be our local IP of the device, the big question mainly of my manager is whether the signature of the CA company that sends us the certificate will work for our model that we need, which is to put our Captive portal valid and safe for users who are going to use the wifi network. This signed certificate will it be recognized in the CA, even getting our local data?

I really need your help to understand this certificate process.



This thread was automatically locked due to age.
Parents
  • Hello,

    Certificate are not dealing with IP-addresses. They are about DNS-Names like "mysophosgateway.yourdomain.com".

    Whatever your DNS-Server resolves to this name, is valid for your clients.

    Simply put: your internal DNS-Server can resolve the name "mysophos.yordomain.com" to e.g. 192.168.111.254 for your Sophos-FW internal LAN interface and everything is fine.

    BUT: of course you need to own "yourdomain.com" to have a valid DNS-name in your (pubic) certificate which can be validated somehow by a public CA.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • I understood!

    In that case, one way or another I need to have this domain published, right?

  • No, not necessarily.

    If you mean by "published", that you need a webserver, then: NO.

    The only thing you need is a reservation of that DNS-name you want to use.

    Otherwise you won't be able to proof ownership of that name to the CA-provider who sign the certificate for you.

    I know of several ways, the CA can proove your ownership of a domainname, either you put a special code into your DNS-records for that particular domain in form of a TXT-record, or you confirm reception of a mail to "postmaster@yourdomain.com", which of course needs to exist. and some other ways.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • No, not necessarily.

    If you mean by "published", that you need a webserver, then: NO.

    The only thing you need is a reservation of that DNS-name you want to use.

    Otherwise you won't be able to proof ownership of that name to the CA-provider who sign the certificate for you.

    I know of several ways, the CA can proove your ownership of a domainname, either you put a special code into your DNS-records for that particular domain in form of a TXT-record, or you confirm reception of a mail to "postmaster@yourdomain.com", which of course needs to exist. and some other ways.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Thank you very much!

    In contact with Sophos support, they asked that my public IPs and DNS be added within the SANs configuration, but we made the notes for the local IP itself.

    My manager is just asking for fear that it doesn't really work when I open the captive portal on an external WIFi user for example and the page doesn't work as secure

  • The only "connection" between DNS-names (used in a crtificate) and an IP-address is a DNS-Server and its information about which hostname has which IP. That's it!

    There is no field inside SSL-certificates for an IP address, believe me.

    So you can't "order" an SSL-certificate for a particular IP, only for a NAME.

    And, yes, that name has to be a "real" host and domainname, you can't put "server1.company.local" here.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Perfect!

    Thank you very much for the clarification, let's check the ways of pointing to a name on our equipment.