Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 1070 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection Signing CA not working

Thomas Schachtner

Hi there,

my self-signed signing CA used for my proxy server is expiring in some days.

This certificate was generated on the UTM some years ago.

As we now have our own PKI in place, i wanted to generate a CA by that PKI system.

I thought I had everything configured correctly (e.g. CA:true), but after importing the new p12 file, it is not possible anymore to access the Internet via the proxy server.

I am not sure, why...

The only thing that is different to the previous certificate is the key length. It used to be 1024 bit, but now is 2048.

Could this be the issue? If not, what else? Any ideas?

(I know this is not very much information, but the certificate is quite similar to the UTM's created three years ago or so...)

 

Best regards

Tom



This thread was automatically locked due to age.
Parents
  • 0

    Hi Tom,

    What configuration is your PKI, is it a multi tier "Root > Subordinate" PKI or do you just have a "Root" CA?

    Emile

  • 0 in reply to Emile Belcourt

    Hi Emile,

     

    I have a multi tier setup:

    - There's a root CA which issued a signing CA

    - The signing CA signs all certificates

    - The signing CA also signed the certificate/key pair for the Sophos signing CA

     

    I'm not in the office anymore today, but I think I have found out what my mistake could be.

    I still have to import the CA certificate of the Sophos signing CA to the browsers. I hoped I could have one set of certificates (i.e. the root CA certificate and the signing certificate) imported into the browsers and all the different Sophos signing CAs we have in every branch would then be automatically recognized.

    I'll try that tomorrow morning.

    Just in case this is the reason why it currently does not work: Is there a way to configure the system in this way:

    - One root CA certificate is installed on all the browsers (and maybe the PKI's signing CA certificate as intermediate CA, too)

    - This PKI system issues many PKCS#12 files - one for each UTM in our branches

    - all the https sites encrypted by the UTMs using those keys/certificates can be verified WITHOUT having to import the CA certificate for every UTM in every browser of every employee...

     

    Best regards,

    Tom

  • 0 in reply to Thomas Schachtner

    Hi Tom,

    When I have tried doing this before I have had to generate another signing CA from the Root because I had left the pathlength as default meaning that the PKI only had a length of 1 which means you could only have a single extra level. If I tried going another level deep like yourself with Root > Signing > UTM > Signed cert it would fail and the UTM would throw its toys out the pram.

    I would recommended signing another subordinate CA from your Root CA instead of from your current subordinate.

    Tbh, I did this about 3 years ago and things get fuzzy three weeks ago!

    Emile

Reply
  • 0 in reply to Thomas Schachtner

    Hi Tom,

    When I have tried doing this before I have had to generate another signing CA from the Root because I had left the pathlength as default meaning that the PKI only had a length of 1 which means you could only have a single extra level. If I tried going another level deep like yourself with Root > Signing > UTM > Signed cert it would fail and the UTM would throw its toys out the pram.

    I would recommended signing another subordinate CA from your Root CA instead of from your current subordinate.

    Tbh, I did this about 3 years ago and things get fuzzy three weeks ago!

    Emile

Children
No Data
Unfiltered HTML