Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 43 subscribers
  • Views 6593 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Export private key from Sophos XG

J_87586

Hello,

I've been using the Sophos XG for a number of years with an SSL certificate that I use for the Admin portal, etc. I use a wildcard certificate that I purchase so that I can use it on some other servers as well. Today, I purchased a new wildcard certificate to use on my Sophos XG box, and other servers.

  1. I generated the CSR in Sophos.
  2. Exported the CSR to secure a copy.
  3. Pasted the CSR to my Certificate provider.
  4. Was provided with a certificate in a number of different formats. 
  5. Used the 'import' icon on the previously created CSR to add the new SSL certificate.
  6. Changed the Admin settings to use the new certificate.

Everything went flawlessly.

Then, I went to add the same wildcard SSL certificate to my TrueNAS system. Pasted in the Public key of the certificate, then went back to Sophos XG to grab the private key... WTF, I can't find it. I did this last year without issue.

Where is Sophos now hiding my private key, and how do I export it? 



This thread was automatically locked due to age.
  • 0

    Hello,

    Since the MR2 firmware, it's no longer possible to download the private key from CSR generator, so I used an external openssl to generate a new CSR and my private key.

    Version 18.5 MR2

    Certificates

    • Removed the ability to download private keys for CSRs and uploaded certificates. So, you can't use CSRs and private keys generated on Sophos Firewall for external systems. You need to use other methods, such as tools built into operating systems.
    • Shown useful information about the different types of certificate authorities.
    • Made it easy to find locally-added certificates and certificates with private keys.
    • Made it easy to copy or download a certificate's public key to check and confirm.
  • 0 in reply to Gregory B

    Thanks for the reply Gregory. I should read those maintenance release notes with more care. Although, it does seam like quite the feature to pull in a maintenance release. Regardless, I did find the fix.

    Turns out that the export feature under Admin settings will provide the private key, Yay!

  • +1 in reply to J_87586

    To clarify, I was able to export the private key by going to...

    Sophos XG (version 18.5.2 MR-2-Build380)

    System -> Backup & firmware -> Import export -> Export (Export full configuration)

    This provided me with the private key that corresponded with the certificate I purchased after creating the CSR on the Sophos XG. So, after this export I had the public certificate, the CSR, and the private key. This was everything I needed to added the wildcard certificate to my TrueNAS server.

  • 0 in reply to J_87586

    You're a life saver, thank you!

  • +1 in reply to Gregory B

    definitely not possible... well

    SFVH_SO01_SFOS 18.5.2 MR-2-Build380# find /* | grep lalala 
/conf/certificate/lalala.pem
/conf/certificate/private/lalala.key
/conf/certificate/csrs/lalala.tar.gz
/conf/certificate/csrs/lalalacsr
/conf/certificate/csrs/lalalacsr/Password.txt
/conf/certificate/csrs/lalalacsr/lalala.csr
/conf/certificate/csrs/lalalacsr/lalala.key
find: /proc/13909: No such file or directory
find: /proc/28332/task/13402: No such file or directory
SFVH_SO01_SFOS 18.5.2 MR-2-Build380# 
SFVH_SO01_SFOS 18.5.2 MR-2-Build380# 
SFVH_SO01_SFOS 18.5.2 MR-2-Build380# cat /conf/certificate/private/lalala.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,27FA13897689132E

yX0wtGBogKHQXa832K+oj3E8jkSkFNZBPMlmUBLU+DuqMXJ08s3eGH1B2VdQ/4VK
az1txCZY10Y6vV8zJXXYXuWruISMlgGm+2VFyfuVWpJfH6JOOZxanJ9SSR1+5CT8
R7pw2n44iEgHOJi8wqqz61fjeJfDXmd3GcgkHmPqEEVbkgXOMDrC7GTPjSLfWtXX
FFQzEF4a29RZX+1weqyqaFbD3oOfy+GAnK9GXeSlcDjZGisOJjrZb4EIaXn5Nmvo
FUPlkZ0mF34op/dkJUg5iPcXWVrShu5UOJedmpd+G/PrY5nr4JQq4wP9/07K6Im/
bQktkd/CnA7p4QTIUVyUGUrWGM6t4+OM6k6Q9gKqgZ2NkvzadjQGovsKtBSkfwYk
S0zpTP0bjy3x0c78Q1q/NkUqwTuc+0OnvIEoqOa8BEBghygrMz/ag/isA0HbDTyc
BAhF1GlPH+/LLJAcQ6yRNnuYhfGBZr17/Qxb7tzk/WzCC99CoJURHlB0SRR4SP3Z
XMRaoF4FAgiBUj5SpgcUhouVZSVaBP8ezAHO3NhBo+UtyKF1phXaf7Ysjx6LIKxG
CTwul0q4I4DhqWBrUjVoj7HIAvmM5wT7T4Cg4HlwJqY7ERQytbZ78Px+7XN0B+eq
69xenCymk82/fF0VIpEFEPyNDQf4yKeQXVRAU7brTLIyIpCb0kk+e8jW/ed3bBTl
T9AZhq/CqlAIF4/bh/hbiZcoY0YWJbV46Pg19naNe1qx79K7T9R2ULmY2ol9EGFn
meU5TVOc81kq22+lbOMlUQeP3QwxDI+nYKMqlvhF0mmESYtxVrrauQByG/c4VBVz
Nw74RjGSvyJQ5GrX2B1wPBphU02JKAjz/z3PtcojZUT2pKI9RfVRY5jZZlOpKkct
8Y2pt9dt8PKcGl7yOGnfhBv1Hsf+jM+9tkL0Ub8RwaDqMJ6MLR2rIbvyCbgGw+tT
hrchFT8ov1bDWHiq1Gc+HqGL65Y+Vo70B2uQ5p//Uor3JiyS3FlKPiqZNpHnd+TO
Rm4hLMi6yiqOlKZdiGjRo/Ftruk9KTsv2qYogXt5oO5Ylvcoujzg8b5l0G9gPlDX
NNF+BS2QnRfGkOsoy/HqD6zJ82bQGVQcsxy54EvKGXMi6ysLEP4/4g68JZD8Emn8
*
Ns0xpHE+AFUGJflCojjzW5HEgWMEgZZEVf5ZONUh3yw+SrLZeEXhEdfg3iGu2t/x
+Ko4sVOx8th9oEciKOjS5reVEVv7iLS/7hscOhXX7Q7lX+vp06iETALHj/CUlakF
RkV7CTbgwxTlpmngGI41sDTd70Qg91iuFhDVwztmLSqG15AAn6VNXN0iD+0AuOTD
3d9xllcT76rMmvm/4Wh9vOMzfb9vf+BbWWSIlSLq4PfJ/sL5jMBZEHcPPpaQnq6I
EkEOSUpFe7xXiUQN9bZvxz6kK+kMnGh25BxONyg2+mSogfXQyqwHgQ==
-----END RSA PRIVATE KEY-----
SFVH_SO01_SFOS 18.5.2 MR-2-Build380# cat /conf/certificate/csrs/lalalacsr/Password.txt
Password :dWyLamwGJGwVKeMmQ7xxx
Challenge Password :dWyLamwGJGwVKeMmQ7xxx
Company Name :NA
SFVH_SO01_SFOS 18.5.2 MR-2-Build380#

  • 0 in reply to Samuel Heinrich

    Sure, you can do this via Shell. The export of the private key is simply to not expose the key to unneeded surfaces. There is no need to download the private key of a CSR. 

    You should not use a firewall as a centralized certificate store anyway. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I can appreciate not wanting to expose it more places than required, especially if you have different roles accessing the system from an admin/sub-admin perspective. Your next sentence is factually untrue as evidenced by the two cases reported here by and me. 

    Firewall - should I manage access points from a firewall, should I monitor end-point av from a firewall, etc? My point is that the Sophos XG clearly isn't only a firewall, but rather a network security management device. Certificates are a pretty central part of network security management.

    Why should I not want to manage such a critical piece of my network security infrastructure from what should be the most secure device on my network? The only reason that I can imagine that you would suggest this is because you believe that the Sophos XG is not a secure device. If I trust it to perform what amounts to a MITM attack I better to be able to trust it to manage certificates. 

  • 0 in reply to J_87586

    The reason you shouldn't perform certificate management on an XG is because it is an edge device directly connected to the internet. For the smallest deployments, the XG may well be the most secure device on the network but for most deployments it is better to not run anything on the XG that isn't essential to its core function. Better to run those functions on a secure internal device.

  • 0 in reply to JasP

    , I get what you're suggesting here. However, I still have a tough time reconciling it with the fact that the Sophos XG has an entire section dedicated to certificate management, and the fact that it creates certificates for nearly every single https website that is visited on our network; it manages hundreds of certificates every day for SSL/TLS traffic inspection. Given this, it appears like certificate management (and creation!) is part of its core function, unless SLL/TLS inspection isn't part of the core function.

    Looks like I'll be setting-up a network air-gapped, Qubes OS installation, running on battery, in the basement with no windows, inside a Faraday cage, to generate private keys and certificate signing requests in the future. Not sure how that will work with Let's Encrypt....

    Speaking of Let's Encrypt, I guess with the approach you're suggesting it's unlikely that Sophos would ever implement Let's Encrypt certificate generation on the XG in the same manner as CloudFlare has. Someone should tell Cloudflare that they are doing it wrong.

    Cheekiness aside, I do appreciate the perspective that both you and have provided.

  • 0 in reply to J_87586
    J_87586 said:
    Looks like I'll be setting-up a network air-gapped, Qubes OS installation, running on battery, in the basement with no windows, inside a Faraday cage, to generate private keys and certificate signing requests in the future.

    Glad you are sorted Smiley

Unfiltered HTML