This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Randomly CA in client SSL VPN configuration file?

In the downloaded SSL VPN client configuration file the SSL VPN CA is attached in the beginning of the file. In my world is should be the CA which has signed the SSL VPN server cert configured in the UTM. But is not! I have two UTM:s, one the first, the CA is one of my uploaded CA (without the private key) and on the other one is the CA used in the reverse web proxy server. None of them is the CA for the SSL VPN Server cert. The CA for the SSL VPN Server cert is uploaded (with private key)

In later versions of Sophos Connect, the connection fails if the provided CA is wrong in the client configuration file.

Solution: Export the correct CA as plain text. Replace the CA with the correct CA in the client config file. You can remove all CA meta data after the row "Certificate:" in the CA section since meta data it not necessarily to make a successful connection. 



This thread was automatically locked due to age.
Parents
  • Check out "Remote Access" -> "SSL" -> "Advanced" -> "Server certificate".
    The CA given there is being attached to the config file. along with the client certificate and key.
    Maybe you changed hostname, encryption protocol or anything else that requires to re-create this CA.

  • I am using a CA created outside Sophos UTM, a manually uploaded CA. 

    The problem could be related to that the uploaded VPN Server cert did not have the CA included in the file?

  • First of all it must be a CA with a key (our initial statement is not clear about this) since the server has to be able to identify itself.

    Second a st least a subset of Key usage/extended key usage mus be permitted in the cerificate to sign client certificates and establish encrypted communication. It's not required to use the prebuild certificate, you can import your own.

    I use the certificate of another Sophos cluster there to have the ability to login to different clusters using the same credentials.

Reply
  • First of all it must be a CA with a key (our initial statement is not clear about this) since the server has to be able to identify itself.

    Second a st least a subset of Key usage/extended key usage mus be permitted in the cerificate to sign client certificates and establish encrypted communication. It's not required to use the prebuild certificate, you can import your own.

    I use the certificate of another Sophos cluster there to have the ability to login to different clusters using the same credentials.

Children
No Data