When the vendors HowTo's are not rebuilding the reality or "Install a subordinate certificate authority (CA) for HTTPS inspection" is wrong

Just for someone else with the same problem, I had a ticket with Sophos (for months just to get this answer...) because I didn't get this one working: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesInstallSubordinateCAForHTTPSInspection/index.html#generate-a-certificate-signing-request-csr. Problem began for us in 18.5 but it is the same in 19.0 (don't know if this one worked ever...).

I was told that this is not possible. After I asked again that they want to tell me that the HowTo from themselves is wrong it was confirmed. So if someone want's to do this you have to do it another way against what the help will tell you...

To have some additional benefit from this topic: I can recommend the DigiCertutil for that purpose: https://www.digicert.com/support/tools/certificate-utility-for-windows

But as a last word here: for me it is ridiculous to wait for months for a useful answer and then the answer is simply "Yes, that's right it is not possible you can use the certificate used by CSR of XG for web services like UI access, WAF, etc...but not for proxy or email..etc." instead of: Yeah you are right, we are fixing it like described in the HowTo. At least it would be of sense to delete the wrong entry in the help asap...



Added TAGs
[edited by: emmosophos at 10:18 PM (GMT -7) on 6 Jul 2022]
Parents
  • Hello ,

    Thank you for reaching out to the community. Sophos do not provide a Private Key as it would breach on firewall security. You can import your own certificate with the private key + passphrase to use for Signing for Proxy and email signing. You can use the certificate used by CSR of XG for web services like UI access etc,

    Thanks & Regards,

    Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • yep, somewhat clear but also wouldn't be necessary so technically this doesn't make sense as no one else but the firewall needs the private key for it... (I didn't want to have the private key just to make sure if this is clear).

    CSR (and private key in background) is generated on Sophos XG, CSR is being signed in the external CA, public key is imported. Everything is still safe as no one needs the private key, it is already in the box and only needed there. It only has to match for it.

  • Seems, the Sophos-Artice is OK ...

    Do you really do the part "Select Subordinate Certification Authority for your template" from
    "Open the CSR file you downloaded from Sophos Firewall, and copy the complete content without any extra lines. Select Subordinate Certification Authority for your template."
    Without the Sub-CA-template the resulting certificate could not be a Sub-CA ... which is necessary for HTTP/SSL-decryption.

    And btw .... no public CA would sign your "Sub-CA".


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Just do a test and try it... Without a test from your side it is not the answer and yes it is done like this.

    And sure it is not a public CA (nobody suspected that here?). But how do you sign your SSL Decryption certificate? I hope from your own Root CA in your PKI.

    Just to make clear: I can sign the CSR (with SubCA template!). But the public certificate generated out of this can't be imported into the firewall like described.

    edit: and to strenghten my answer: Sophos itself says it is not working like you can read here in the thread...

Reply
  • Just do a test and try it... Without a test from your side it is not the answer and yes it is done like this.

    And sure it is not a public CA (nobody suspected that here?). But how do you sign your SSL Decryption certificate? I hope from your own Root CA in your PKI.

    Just to make clear: I can sign the CSR (with SubCA template!). But the public certificate generated out of this can't be imported into the firewall like described.

    edit: and to strenghten my answer: Sophos itself says it is not working like you can read here in the thread...

Children