Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Custom Certificate Authority for HTTPS scanning

FormerMember
FormerMember

I have setup my own little personal PKI, with an offline Root CA, which is trusted by my desktop and laptop so that I can create SSL certificates whenever I'm developing websites and not have to worry about clicking through browser warnings.

I wanted to take advantage of that fact and create an Intermediate CA for Sophos XG to use for inspecting HTTPS traffic. I added the Root CA certificate (not the key!) to Sophos under Certificate Authorities and then generated the private key for the Intermediate CA and the corresponding certificate using OpenSSL. I configured the certificate to be valid from 2016-01-01 00:00:00 GMT to 2036-12-31 23:59:59 GMT, and those dates are correctly recognized by the webadmin interface under "Certificate Authority".

However, when I go to the Web Protection settings page and select this Intermediate CA, I get a message saying that the "certificate has either expired or is not yet valid". When I go ahead and ignore that message, apply the settings, and refresh the page, the message changes to "Your certificate has expired or is now invalid and so the HTTPS scanning uses the Default Certificate "SecurityAppliance_SSL_CA"".

Any ideas about what might be happening here?



This thread was automatically locked due to age.
Parents
  • Check your Intermediate CA certificate and Root CA certificate extensions. I have found XG to be strict about it.


    Look at a snippet from my config:

    [ v3_ca ]
    basicConstraints = critical,CA:TRUE
    subjectKeyIdentifier = hash
    keyUsage = critical,keyCertSign,cRLSign

    [ v3_server ]
    basicConstraints = CA:FALSE
    keyUsage = critical,keyEncipherment
    extendedKeyUsage = serverAuth
    nsCertType = server
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always
    authorityInfoAccess = caIssuers;URI:hostname.domain.tld/ca.crt
    crlDistributionPoints = URI:hostname.domain.tld/ca.crl


    I haven't tried Intermediate CA though. I can do it in spare time.

    Regards,
    Slawek

Reply
  • Check your Intermediate CA certificate and Root CA certificate extensions. I have found XG to be strict about it.


    Look at a snippet from my config:

    [ v3_ca ]
    basicConstraints = critical,CA:TRUE
    subjectKeyIdentifier = hash
    keyUsage = critical,keyCertSign,cRLSign

    [ v3_server ]
    basicConstraints = CA:FALSE
    keyUsage = critical,keyEncipherment
    extendedKeyUsage = serverAuth
    nsCertType = server
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always
    authorityInfoAccess = caIssuers;URI:hostname.domain.tld/ca.crt
    crlDistributionPoints = URI:hostname.domain.tld/ca.crl


    I haven't tried Intermediate CA though. I can do it in spare time.

    Regards,
    Slawek

Children
  • FormerMember
    0 FormerMember in reply to Slawski

    Thanks for the reply. I just checked the configuration file I'm using, and the Intermediate CA is quite similar to your Root; there are some minor differences though.

    I won't be on-site for the next two weeks to dig deeper into this, but I'll check it once I get back and post my findings here.

  • nsCertType was depreciated years ago and should not be utilized (same goes for the previous 3 EKU/oids for IPsec).  EKU ServerAuth is the EKU/oid that should be utilized.

    SilverStone DS380 | AsRock C2750D4I | Alienware 18 In Win Chopin | SuperMicro A1SRi-2758F
    2.4gHz 8C C2750 ; 32GB ECC | 2.5gHz 4C i7 4710MQ ; 32GB 2.4gHz 8C C2758 ; 32GB ECC
    Vantec 4C USB3 PCIe UGT-PCE430-4C | 8GB AMD SLI R9 M290x |
    SSD  | 850 EVO: 120GB | 1TB ; mSATA: 1TB (2) | 850 Pro: 128GB ; 850 EVO: 1TB
    HDD | Seagate: { ST4000VN000 (8) } Z2 ; { HGST HTS721010A (3) } Z2 |
    FreeNAS 11.2 | { PNY Turbo USB3 32GB (2) } Mirror | Win 10 Pro | ESXi 6.7: Sophos UTM 9.6

    Various Wikis, Scripts, & Configs | Prebuilt OpenSSL Config

  • Unless Sophos changed this in XG from UTM, Sophos does not accept the usage of Intermediate CAs.  I know with 100% certainty Sophos does not accept Intermediate CA and certs for VPN usage, as it prevents the router from authenticating the client.  

    • Someone with more experience than I will need to confirm whether or not Intermediate CAs and certs are allowed for the Proxy, as although I tried XG, until all features of UTM are ported over, it was more of a hinderance.

    In the meantime, please post your Openssl.cnf.

    SilverStone DS380 | AsRock C2750D4I | Alienware 18 In Win Chopin | SuperMicro A1SRi-2758F
    2.4gHz 8C C2750 ; 32GB ECC | 2.5gHz 4C i7 4710MQ ; 32GB 2.4gHz 8C C2758 ; 32GB ECC
    Vantec 4C USB3 PCIe UGT-PCE430-4C | 8GB AMD SLI R9 M290x |
    SSD  | 850 EVO: 120GB | 1TB ; mSATA: 1TB (2) | 850 Pro: 128GB ; 850 EVO: 1TB
    HDD | Seagate: { ST4000VN000 (8) } Z2 ; { HGST HTS721010A (3) } Z2 |
    FreeNAS 11.2 | { PNY Turbo USB3 32GB (2) } Mirror | Win 10 Pro | ESXi 6.7: Sophos UTM 9.6

    Various Wikis, Scripts, & Configs | Prebuilt OpenSSL Config