This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exports Sophos UTM Private Key to decrypt tcpdump

I have done a tcpdump from the Sophos UTM (UTM is SSL intercepting all SSL traffic at the moment). I would like to analyze the traffic from one particular client so I have done a tcpdump for that IP only. I have not been able to find the private key on the UTM though that will allow me to decrypt the SSL traffic in Wireshark. Someone suggested running this command as root.

cc get_objects_filtered '$_->{type} eq "signing_ca"'

This didn't seem to do anything. Anyone know how to export the default private key?

This thread was automatically locked due to age.

0 teched_01 over 9 years ago
Sophos removed get_objects_filtered capability. See https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22514

Here is an alternative command:
cc get_objects ca signing_ca
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago
teched, that will give him all of the signing CAs. How about:
cc get_object_by_name ca signing_ca 'Proxy CA'

But why not just download the PEM or PKCS#12 from the 'HTTPS CAs' tab in 'Filtering Options'?

Cheers - Bob
PS In fact, teched is the reason that I've learned so much about cc, and he's teaching us all new things almost daily.
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 teched_01 over 9 years ago
That is a more specific command for that certificate. I was really only providing an alternative to the get_objects_filtered command.

If the ref for the Proxy CA is always REF_CaSigProxyCa then the following should also work.

cc get_object REF_CaSigProxyCa

The thread that likely originated the get_objects_filtered command in the first post: https://community.sophos.com/products/unified-threat-management/astaroorg/f/55/t/46342
Cancel
Vote Up 0 Vote Down

Cancel
0 icemonkey over 9 years ago

Thanks all. Looks like in this instance Diffie-Hellman key exchange has thwarted my efforts to MiTM [:)]
Cancel
Vote Up 0 Vote Down

Cancel