Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 9510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When uploading Signing CA from Widnows Domain, UTM adds three years to expiration date

TimBoggs

I have followed an online guide about adding a signing CA to the UTM from a domain controller. The certificate in question expires on 08/2016. When uploaded to Sophos, it shows an expiration of 08/2019 and prompts an error. When I try using a subordinate CA certificate, it's not picking up the Root CA in the chain and also sets an expiration of 08/2019.

Does Sophos have a detailed guide on how to generate a certificate from an internal CA that works?



This thread was automatically locked due to age.
Parents
  • 0

    Hi Tim,

    What error is prompt, can you please post a screenshot?

    By default, the Signing CA certificate is created according to the information provided during setup, i.e. it is consistent with the information on the Management > System Settings > Organizational tab—unless there have been any changes applied since. Please post the link to the document you referred to upload Signing CA.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    The problem is that we are using web ad blocking and using the Sophos self-generated cert results in a security warning on sites that have ads delivered via https. The self-generated cert is not trusted. Per Sophos documentation, I either have to install the Sophos cert on all computers or put an Internal domain cert on the UTM.

    I found this article addressing the issue: https://drashna.net/blog/2015/03/an-exercise-in-frustration-setting-up-web-filter-certificates-in-sophos-utm/

    Very detailed instructions, but when I try to import the existing cert to "Web Filter Protection > Filtering Options > HTTPS CAs > Signing CA > Upload"  I get this message:

    Certificate validity period is longer than 39 months and may not be accepted by all browsers.

    It allows me to install the certificate. When I browse to a site with ads and check the certificate, it reports that the expiration date is 08/2019, while the certificate that I used has an expiration date of 08/2016. Other details on the cert appear to be correct.

Reply
  • 0 in reply to sachingurung

    The problem is that we are using web ad blocking and using the Sophos self-generated cert results in a security warning on sites that have ads delivered via https. The self-generated cert is not trusted. Per Sophos documentation, I either have to install the Sophos cert on all computers or put an Internal domain cert on the UTM.

    I found this article addressing the issue: https://drashna.net/blog/2015/03/an-exercise-in-frustration-setting-up-web-filter-certificates-in-sophos-utm/

    Very detailed instructions, but when I try to import the existing cert to "Web Filter Protection > Filtering Options > HTTPS CAs > Signing CA > Upload"  I get this message:

    Certificate validity period is longer than 39 months and may not be accepted by all browsers.

    It allows me to install the certificate. When I browse to a site with ads and check the certificate, it reports that the expiration date is 08/2019, while the certificate that I used has an expiration date of 08/2016. Other details on the cert appear to be correct.

Children
  • +1 in reply to TimBoggs

    Ends up that the date issue was a red herring.

    Following are the high level steps I used to get this working in a Windows PKI environment:

    1. Generate a Certificate Signing Request using IIS

    2. Submit the CSR to your Domain Root CA as the Subordinate Certificate Authority type and download the CER file.

    3. Download the Root CA certificate from your Domain Root CA

    4. Complete the certificate request in IIS manager and export as PFX file with password.

    5. Upload the Root CA CER file downloaded in step 3 to the UTM Local Verification CAs list.

    6. Upload the UTM CER file created in step 2 to the UTM Local Verification CAs list.

    7. Upload the UTM PFX file created in step 4 as the Signing CA on the UTM.

    Basically, this completes the certificate chain for the UTM to issue new certs. The new certs still have an expiration date three years out, but browsers don't seem to mind. The piece I was missing was uploading the first CER file created that was used to generate the PFX. I thought that file would be rolled into the PFX and would not require a separate upload.

  • 0 in reply to TimBoggs

    Thanks Tim!  I know this an old thread but your info helped me get mine setup using our internal CA as well.  I did have one issue which I also wanted to point-out in case anyone else runs into it.   At first it wasn't working because the UTM kept appending our domain name onto each certificate name.  So, for instance, if I went to www.blah.com, It would make the certificate name www.blah.com.ourdomain.com, which wouldn't match and would throw up an error.   It turns out I had the "Search Domain" field set to our domain (it's located on the "Misc" tab of Filtering Options) and this was causing it, even though it shouldn't as it's supposed only append your search domain when it's a non-fqdn name.

    Thanks again!

Unfiltered HTML