This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Decryption issue, unknown encrypting CA

Hello everyone,

I have a weird problem with https decryption. First, let me describe our equipment:

- AD network with 2 DC and internal CA

- An XG 125 router for internet access, firmware 19.0.0 GA-Build317

- Decryption is set up on the router, a subCA has been generated to re-encrypt previously decrypted traffic.

Everything works fine, except for some sites. For example, if you visit https://www.insee.fr , the browser indicates SEC_ERROR_UNKNOWN_ISSUER, and this site is encrypted with a certificate issued by "Sophos SSL Untrusted CA_KBeHDi0aSFUuBkKUVk6XCNC", which is clearly not my subCA!

I checked on the router and and no trace of this certificate!

Does anyone have any idea what is going on?

This thread was automatically locked due to age.

Top Replies

Christian Fournier over 1 year ago in reply to Brian1941 +1

I must add that I see this problem on several other installations I manage. Same sites, same problems of bad certificate but encrypted by another untrusted CA. So it's not "that" router related, so I don…

0 Brian1941 over 1 year ago

I have this exact same problem on my home network; I opened ticket 05662474 with supportt. After some remote troubleshooting, the support engineer believed that if I regenerated the key it would fix the problem. I didn't try that as I was too busy crashing on something else ,but eventually, I'll try it.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 1 year ago in reply to Brian1941

I must add that I see this problem on several other installations I manage. Same sites, same problems of bad certificate but encrypted by another untrusted CA. So it's not "that" router related, so I don't think that regenerating the key (SecurityAppliance_SSL_CA I suppose) would fix it.
Cancel
Vote Up +1 Vote Down

Cancel
0 emmosophos over 1 year ago

Hello Christian,

Thank you for contacting the Sophos Community.

I believe you might be affected by an issue that is currently being investigated, can you open a case with Support and share the Case ID.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Christian Fournier over 1 year ago in reply to emmosophos

Hello Emmanuel,

case opened, ID 05779926

Best regards,

C. Fournier
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 1 year ago in reply to Christian Fournier

Hello Christian,

Thank you for the Case ID, I left a note in your case and have reached out to GES.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel