Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

XGS Certifikates: Certificate authority: Invalid or not installed


I want to replace an SG firewall with an XGS. I donwloaded the wildcard certificate (.pem) and the certificate of the CA from the SG and uploaded them on the XGS. Though the the wildcard certicicate doesn't trust the CA. How can i solve this problem?

Added TAGs
[edited by: Erick Jan at 8:53 AM (GMT -7) on 5 Jun 2023]
  • Hello  ,

    Thank you for reaching out to the community, there can be two reasons when this shows as invalid:

    1.) The CA is invalid when not in the Sophos Firewall CA certificates database.
    2.) Duplicate CA certificates in the database.

    We have a work around - NC-84530. Would request you to log a service request and revert us here to investigate this further and get this resolved on priority.

    Thanks & Regards,

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case

    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • I now spent some hours to resolve a similar issue with a Let's Encrypt wildcard certificate.

    I made updates for my certificate via pfx. Last time this worked without issues but this time I got the red X.

    Nevertheless the certificate works for my published websites but not for my Sophos appliance.

    So I went through all threads with this issue and found this is not a seldom problem.

    I deleted all R3 and ISRG CAs, even went to shell and deleted CAs in /conf/certificate/cacerts where were some my past pfx certs not shown in the web interface.

    Then I added R3 and ISRG Root X1 via copy/paste. Which are exactly the ones in my cert chain.

    But to no avail. Disappointed

    What work around do you mean by NC-84530?