When the vendors HowTo's are not rebuilding the reality or "Install a subordinate certificate authority (CA) for HTTPS inspection" is wrong

Is still the same, article still is in database but doesn't match the reality...

Hi K-M,

Thank you for bringing this up. I have reached out to our Documentation Team and this request has been added to the queue. I will let you know once there are updates. 

I just tried this and it worked fine. When I uploaded the completed certificate file after signing the CSR with AD CS, the other two options lit up and I could select "Certificate authority only" or "Certificate and certificate authority".

Are you 100% certain that you selected "Subordinate Certificate Authority" in step 4? The upload function does check to ensure that the certificate you are uploading has the necessary properties for a CA.

Funny, then you are the only person in this thread where this worked in detail/real life. Had a support ticket and nobody could solve it, even it is verified that Sophos will delete it from Documentation, see below. I would be interested in your exact steps how you did it. Maybe we could connect for a session, that you could show it to me how you do it.

Are you using a standalone CA for signing in a two tier pki? Then you also have to use the comand line on the offline CA? Or are you signing via GUI on the production/issuing CA?

Hi K-M - I made a quick video showing the steps I was taking. Perhaps you could have a look and see how it matches your experience. First, I just show that I already have the domain's root CA installed, then I go through the process of creating a CSR on the Firewall, signing it as a Certification Authority in AD then re-importing it to the Firewall. 

Great, that is something we can work on. Don't know why the support was not able to add this useful information with OpenSSL as you are aware of it. Would have been easy to see that it can't be working without even trying to import it as my flag is FALSE!

BUT: it is only FALSE if the CSR comes from the Sophos itself. CSR generated externally are working just fine. Just did a parallel test with CSR from Sophos and from DigiCert utility. CSR from Sophos is FALSE, from DigiCert it is TRUE. So the template is right but there seems to be a problem in Windows CA while working with the Sophos CSR this way.

So we have the following differences:

- I am using a (offline) Standalone CA for issuing all SubCA certificates (two tier pki)

- In Windows Standalone CAs there are NO certificate templates in GUI available (there are no Templates configurable in MMC, too)

- SubCA Certificates CSRs are submitted like this: certreq -submit -attrib "CertificateTemplate:SubCA" "filename"

I send you a link to my test with screenshots. As there are internal information in it I can't link it here. There you can see in steps what I did.

OK, helped me searching the right way and I found it (that would have saved me hours with the support!). The problem is really the CSR from Sophos as it requests to be a single certificate for a device. Sorry, have only the german output from "certutil -dump csr".

Only the attributes are important, so I only will post this one here.

DigiCert csr (really short without any special):

Anforderungsattribute: 1
  1 Attribute:

  Attribut[0]: 1.2.840.113549.1.9.14 (Zertifikaterweiterungen)
    Wert [0][0], Länge = 23
Zertifikaterweiterungen: 1
    2.5.29.17: Kennzeichen = 0, Länge = 18
    Alternativer Antragstellername
        DNS-Name=test-digi.test.local

Signaturalgorithmus:
    Algorithmus Objekt-ID: 1.2.840.113549.1.1.5 sha1RSA
    Algorithmusparameter:
    05 00

Sophos CSR:

Anforderungsattribute: 3
  3 Attribute:

  Attribut[0]: 1.2.840.113549.1.9.7 (Kennwort in Frage stellen)
    Wert [0][0], Länge = 19
    hHbLw2z9ENjdTdKbT9hRk5N

  Attribut[1]: 1.2.840.113549.1.9.2 (Unstrukturierter Name)
    Wert [1][0], Länge = 1a
[...]   

  Attribut[2]: 1.2.840.113549.1.9.14 (Zertifikaterweiterungen)
    Wert [2][0], Länge = 36
Zertifikaterweiterungen: 3
    2.5.29.17: Kennzeichen = 0, Länge = 13
    Alternativer Antragstellername
        DNS-Name=test.test.local

    2.5.29.19: Kennzeichen = 0, Länge = 2
    Basiseinschränkungen
        Typ des Antragstellers=Endeinheit
        Einschränkung der Pfadlänge=Keine

    2.5.29.15: Kennzeichen = 0, Länge = 4
    Schlüsselverwendung
        Digitale Signatur, Zugelassen, Schlüsselverschlüsselung (e0)

Signaturalgorithmus:
    Algorithmus Objekt-ID: 1.2.840.113549.1.1.11 sha256RSA
    Algorithmusparameter:
    05 00

That has to be the same on your side. So it shouldn't be working at your side, too. BUT... now there is a Microsoft thing:

Important difference between Standalone and Enterprise CA is that if you use a Enterprise CA every attribute from the certificate template overwrites the attribute in the CSR, even if it is set. In a standalone CA the attribute will be kept if it is existing in the CSR despite what is beeing configured in the used template. So that is why it is working via the GUI on your Enterprise CA but not on my Standalone CA.

Additional Excurse: somewhere else stands that SubCA certificates should also be marked as critical (https://krestfield.github.io/docs/certdog/issuing-subca-from-microsoftca.html) and this is confirmed here (sorry german, https://www.gradenegger.eu/?p=1455) but that doesn't have an impact if it is already working. Maybe Sophos should take that in consideration if someone "fixes" the CSR generator and if you tick a button that this CSR is for SubCA it will be automatically requested as critical...

It seems that we are close to a solution and maybe to an addition to the documentation if the problem is now fixed afterwards...

So if someone is looking into here please tell us if we have to open another case for it or if you discuss it internally on your own. Thanks in advance.

Thanks for sharing and providing the above information. I will go ahead and pass this on to our Documentation team.

Best,