Adding a Windows Server CA to the CA List

Question

Hi All 
 I am new to XG and having certificate issues. 
 I want to be able to add my own Windows Server Certificate Authority to the XG. The Windows CA is the root for my environment. I have used the Windows Server CA web admin to download the CA certificate, however I cannot get the XG to accept the certificate no matter what option I use. I get this error " Certificate Authority could not be uploaded ". 
 I am also having trouble importing commercial host certificates (DigiCert), including certificates that used a CSR created on the XG. I have tried to update their CA certificates but have the same issue as with the Windows CA. 
 I have tried all manner of certificate formats, without luck. It is like the whole certificate service is broken, or I don't have the correct rights to perform certificate functions. All the different certificates I have tried all import into Windows and Linux hosts are appear to work fine. 
 I am using version XG 16.01.0 running in Hyper-V. 
 Can anyone please advise. 
 Thanks in advance

Sandy Millar · Accepted Answer

Thanks for all those folks that responded to my question. 
 Now here is something interesting. I noted in an unrelated posting that someone was having trouble updating firmware, with a response that the issue could be related to Firefox. The same browser I have been using. I thought, what the heck and tried the certificate upload with Chrome, and it worked. This strongly suggests that there is an issue with XG WebAdmin and Firefox. 
 Thoughts anyone? 
 Thanks again 
 Sandy Millar

lferrara · Answer

Strange! I added CA on 16.01.1 with no issue. 
 Make sure that CA includes both public and private key. Have a look at this KB: 
 https://community.sophos.com/products/xg-firewall/f/vpn/75396/godaddy-ssl-certificate-for-user-portal 
 Regards

Steve Neetz · Answer

Another issue I just resolved trying to do this, be sure that the CA is in DER (binary-encoded) format, not CER (Base64 encoded, the way most certs come from support pages for public CAs!). CER encoding will give the same mysterious "Certificate Authority could not be uploaded". 
 
 Sophos, maybe add CER support to the CA import option?

Patryk Dobrowolski · Answer

Admins, Mods, whoever is reading this thread. There is a must that you should follow, certificate should have .crt extension and private key should be .key I've tried several times to import with no luck, with erros like " Attached certificate authority is invalid. Please choose a valid certificate authority. " And the resolution was like above, to change extension, maybe a good idea is to add .pem extension to js validation in web form, or whatever is necessary.