Certificate renewal fail

Question

Hi, 
 Our certificate for the site expires today and we've tried uploading a new one and it's imported but it's listed as untrusted. 
 It's an Alpha SSL certificate and our service provider gave us the .csr and .key file. We copied the contents of the .csr file into a notepad and saved it as a .crt file. Then with OpenSSL we created the .pem file, using the .crt and .key. 
 We uploaded the .pem file to Sophos but it appears as follows: 
 
 We need help urgently. 
 Best Regards Luis

PhilippRusch · Answer

Ola, 
 the CSR is the file you need to have your "certificate signing request" (CSR) being signed by the public CA of (for example) AlphaSSL. 
 Normally they will validate your ownership of the domain you are requesting this certicate for and after a successful validation you will receive a crt, cer, der or pem file. 
 So you have the private ".key" file from your own certificate signung request that you created with OpenVPN, I think. The CSR is not needed anymore after you received the public certificate from the public CA like AlphaSSL. You should keep them in a secure place, though. 
 For uploading to the firewall system, you need either both files: certificate (in pem, der or cer format) and private key. 
 Or you have a combined pkcs format like .p7b or .p12, where cert and key are stored in one file. 
 In both cases you have to supply the password for the private key when importing to the firewall as a security measure. 
 Then the Sophos system will accept this certificate as "trusted" 
 Hope this helps.

André Besteiro · Answer

Thanks Phillipp, 
 I identified the rule, changed the certificate and the problem was solved.

PhilippRusch · Answer

error says: you are using the wrong file (see my explanation for the steps needed)

PhilippRusch · Answer

Hi Erick, 
 I think he is still using the wrong cert. Look at the screeshot fo the error message: It says: Issuer ... is (his own domain, blabla) 
 For "AlphaSSL" (this is a brand of GlobalSign) this should be something like: 
 Issuer: CN = GlobalSign Root CA OU = Root CA O = GlobalSign nv-sa C = BE

PhilippRusch · Answer

If using a widely accepted public CA, you normally do not need to upload a CA-cert from them to make it trusted. I never do that. 
 This would be very strange if it worked like that. A public CA is called "public" bacause their Root CA and maybe some intermediate CA are publically avaliable and well known. This is the way it works.

Certificate renewal fail

Top Replies