When the vendors HowTo's are not rebuilding the reality or "Install a subordinate certificate authority (CA) for HTTPS inspection" is wrong

Just for someone else with the same problem, I had a ticket with Sophos (for months just to get this answer...) because I didn't get this one working: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesInstallSubordinateCAForHTTPSInspection/index.html#generate-a-certificate-signing-request-csr. Problem began for us in 18.5 but it is the same in 19.0 (don't know if this one worked ever...).

I was told that this is not possible. After I asked again that they want to tell me that the HowTo from themselves is wrong it was confirmed. So if someone want's to do this you have to do it another way against what the help will tell you...

To have some additional benefit from this topic: I can recommend the DigiCertutil for that purpose: https://www.digicert.com/support/tools/certificate-utility-for-windows

But as a last word here: for me it is ridiculous to wait for months for a useful answer and then the answer is simply "Yes, that's right it is not possible you can use the certificate used by CSR of XG for web services like UI access, WAF, etc...but not for proxy or email..etc." instead of: Yeah you are right, we are fixing it like described in the HowTo. At least it would be of sense to delete the wrong entry in the help asap...



Added TAGs
[edited by: emmosophos at 10:18 PM (GMT -7) on 6 Jul 2022]
  • Hello ,

    Thank you for reaching out to the community. Sophos do not provide a Private Key as it would breach on firewall security. You can import your own certificate with the private key + passphrase to use for Signing for Proxy and email signing. You can use the certificate used by CSR of XG for web services like UI access etc,

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • yep, somewhat clear but also wouldn't be necessary so technically this doesn't make sense as no one else but the firewall needs the private key for it... (I didn't want to have the private key just to make sure if this is clear).

    CSR (and private key in background) is generated on Sophos XG, CSR is being signed in the external CA, public key is imported. Everything is still safe as no one needs the private key, it is already in the box and only needed there. It only has to match for it.

  • Seems, the Sophos-Artice is OK ...

    Do you really do the part "Select Subordinate Certification Authority for your template" from
    "Open the CSR file you downloaded from Sophos Firewall, and copy the complete content without any extra lines. Select Subordinate Certification Authority for your template."
    Without the Sub-CA-template the resulting certificate could not be a Sub-CA ... which is necessary for HTTP/SSL-decryption.

    And btw .... no public CA would sign your "Sub-CA".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Just do a test and try it... Without a test from your side it is not the answer and yes it is done like this.

    And sure it is not a public CA (nobody suspected that here?). But how do you sign your SSL Decryption certificate? I hope from your own Root CA in your PKI.

    Just to make clear: I can sign the CSR (with SubCA template!). But the public certificate generated out of this can't be imported into the firewall like described.

    edit: and to strenghten my answer: Sophos itself says it is not working like you can read here in the thread...

  • This step is actually wrong:

    Upload the signed CA to Sophos Firewall

    You need to upload the signed CA to Sophos Firewall to use it for HTTPS scanning.

    1. Go to Certificates > Certificate authorities and click Add.

    You need to add the CSR via Import. You did that? Or did you upload the Cert? 

    I did this a couple of years ago and it worked. Because this was part of the Architecture training, as far as i can remember. 

    So CSR import should work fine: docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

  • If I go to Import under the corresponding CSR there is only "certificate only" possible, everything else is greyed out.

    CSR is already in the box, because it was generated there.

  • That is correct. The private key is already in the appliance. So you can upload the signed cer to the firewall. 

    __________________________________________________________________________________________________________________

  • as a "normal" certificate this is working like expected but you can't upload a (Sub-)CA certificate for signing this way...

  • That is correct. The CA and Root CA needs to be uploaded as PEM. I would not expect to upload it with private key. 

    __________________________________________________________________________________________________________________

  • hm? My Root CA is normally uploaded into the box (without the private key, for sure). But for HTTPS signing which is accepted from the clients there needs to be a SubCA (with private key) from that chain. And that one can't be uploaded if the CSR is generated from the XG (because private key is already and only in the box and the upload expects public/private keypair as it seems).