Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 4459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to regenerate X509 cert because the CA being used is expired and I cannot delete

Joe Reed

So we are going to be wanting to use SSL VPN on our UTM, but I'm having issues getting it to work.  Looks as though all the X509 certs are expired and I cannot regenerate.  So I tried to create a new one, but once a new one is created, it is set as expired.

After further investigation, I'm seeing that the CA being used is expired, and it looks to be a private CERT which I cannot seem to do anything with.  I cannot delete because says it is being used, but just about everything.  

Does anyone know a way to get this removed without having to reset my entire firewall?  Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    It looks like you are not using the default Sophos generated "VPN Signing CA" which normally is valid until "Jan 1 00:00:00: 2038 GMT" like your "Remote Ethernet Device CA".

    If you have that one still in place, you could change the services under "01)" to use that one. But be aware. After that I think you have to regnerate all the user certificates.

    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • 0 in reply to ThomW

    How do I go about changing those services under '01'?   I don't have any user vpn certs right now, so I want to make that change for any new Certs being created.  Currently, new certs are coming out expired.

    -Joe

  • +1 in reply to Joe Reed

    Make a full backup just in case.

    Change those 3 locations to the original "VPN Signing CA"

    1. Site-to-Site VPN -> SSL -> Advanced

    2. Site-to-Site VPN -> IPsec -> Advanced

    3. Remote Access -> L2TP over IPsec -> Global (no screenshot available)

    If this is not used enable it, change to preshared key and disable it.

    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
  • 0 in reply to ThomW

    Ok.  Did that, but I am still receiving expired user certificates when a new user is created on the UTM.  This is causing the SSL VPN to fail.

  • 0 in reply to Joe Reed

    Could you share a screenshot with the certificates showing "VPN Signing CA"

    Sophos Gold Partner
    4TISO GmbH, Germany
    If a post solves your question click the 'Verify Answer' link.
Reply Children
Unfiltered HTML