Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 326 views
  • Users 0 members are here
Options
Suggested

Sophos Home v21 GA - Unable to upload internal CA

Herman Baum

I am trying to upload/update a custom CA for SSL decryption (signing and validation), but it fails with the following message:
"Hochladen der Zertifizierungsstelle ist fehlgeschlagen. Ungültiger privater Schlüssel oder ungültiges Kennwort"
I know the passphrase for the key is correct, because it works if I upload it on the certificates page, just not on the ca page.

If I try to upload the certificate without the key the error is:
"Die Zertifizierungsstellen-Datei ist möglicherweise beschädigt"

I have compared the old and new crt file using this command on a linux workstation in my homelab:
diff -u <(openssl x509 -noout -text -in /tmp/old.pem) <(openssl x509 -noout -text -in /tmp/new.pem)

The only differences are the expected date, serial number and public key.

The article used: docs.sophos.com/.../index.html

Details to the certificate:
- Sub-CA of internal root CA

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)

        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: critical
                OCSP Signing
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0

    Signature Algorithm: sha256WithRSAEncryption

Details of the private key:
- 4096 Bit
-RSA

What are the requirements for a ca certificate? Unfortunately the article is very thin here.



Added private key details.
[edited by: Herman Baum at 5:34 PM (GMT -8) on 7 Jan 2025]
Parents Reply Children
  • 0 in reply to Michael Dunn

    Also just in case there is a super edge case, can you try switching to English in the login screen.  I have only seen it one case of it, in a different part of the UI, but there was a string compare that failed if the language was not English.

  • 0 in reply to Michael Dunn

    Hello Michael,

    thanks for the suggestions.

    I have tried copy and paste. Same result unfortunately. Also my file looks exactly as you suggested.
    Inspecting the certificate and private key file on the advanced console using the openssl binary on the appliance is also working fine.
    In addition both files are correctly recognized on my linux workstation as well.

    Do you happen to know what that correct format / the format it expects might be? I could't find any documentation on that detail apart from being a PEM encoded file.

    To my surprise the upload is working fine when I try to upload it under "Zertifikate" -> "Zertifikate" instead of "Zertifikate" -> "Zertifizierungsstelle (CA)"
    I recognizes the certificate and the private key with its passphrase correctly.

    But I cannot select it for decrytption from there. It seems it must be uploaded under "Zertifizierungsstelle (CA)".
    I probably should also mention that I have tried updating/replacing my current sub CA with a new certificate and new key as well as adding it completely new. Thats how I got the error for about the certificate format being wrong, while at least to me, it looks completly fine.

    I have also tried it while switched to English but it resulted in the same behaviour.

Unfiltered HTML