Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Sophos (XG) Client Authentifikation Agent

Hallo all,

I am currently looking for a lean solution to build a rule per firewall that only applies to authenticated users. I have connected the firewall to the AD and installed the "Client Authentification Agent" on the (Windows) client. The user authenticates himself against the AD via the firewall and the rule with "Match known users" takes effect. So far everything is fine.

The small hook comes now. The whole thing must run on 40 firewalls. For the whole thing to work with multiple firewalls, I would have to import the "ClientAuthentication_CA" certificate from each firewall into the client. Then I would have 40 Sophos CA certificates on each client, which I would consider very unattractive.

I have used the CLI (/conf/certificate/internalcas/ClientAuthentication_CA.*) on a test box to replace the certificates with the certificates from another box. When I then try to download the certificate in webadmin, I get the new certificate. However, the authentication itself still has the old certificate. So unfortunately, it is not so simple...

Is there a way to export the "ClientAuthentication_CA" certificate of one firewall and import it into the other firewalls?



Added TAGs
[edited by: Erick Jan at 9:40 AM (GMT -7) on 19 Sep 2023]
Parents Reply Children
  • Hi Vishal,

    if I also copy the files /conf/certificate/internalcerts/ClientAuthentication_cert.* to my test firewall the client authentication client will work (after a reboot of firewall). Witch process have I to restart (authentication service)?

    But the ClientAuthentication_cert will expire at the end of 2024. To check if the renew process with the cloned CA will work, I tried to generate a new certificate with this script: /scripts/certificate/

    If I start the script with this parameters:

    /scripts/certificate/ ClientAuthentication_cert ClientAuthentication_CA UK NA NA NA NA "Sophos Client Authentication CA" "/conf/certificate/internalcas/" 2048

    I receive this error message:

    Using configuration from /static/system/certificate/openssl.cnf
    ERROR:name does not match /C=UK/ST=NA/L=NA/O=NA/OU=NA/CN=Client Authentication Cert
    Ignoring -days; not generating a certificate
    Error Loading request extension section v3_req
    4154185472:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:crypto/x509v3/v3_alt.c:533:
    4154185472:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=2048

    Can you please advise me how to renew the certificate?



    If a post solves your question please use the 'Verify Answer' button.

  • Hi  For your query on restart (authentication service) can be done from UI Configure > System Services > Services > Authentication > Restart 

    OR From shell via the below command:

    #service access_server:debug -ds nosync

    Regarding 2nd query for renewing the certificate (ClientAuthentication_CA), I may need to do some tests and research on my LAB device and will confirm if there are any possibilities on the same..!


    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.