This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What are the ramifications of renewing a wildcard SSL certificate on a UTM 9

I have a wildcard SSL cert being used on at least one of my UTM 9s that will expire next month. I am looking at the cert in Webserver Protection > Certificate Management and my only option is to delete it. When I look at where used I see ...

Used in these configurations:
  Management → WebAdmin Settings → HTTPS Certificate
  Remote Access → Cisco™ VPN Client → Global
 
Used by these objects:
01) Webserver Protection → Web Application Firewall → Virtual Webservers → Web Store
 
  This object is unused.
02) Remote Access → Cisco™ VPN Client → Global → for VPN Users to CDE (Network)
 
  Remote Access → Cisco™ VPN Client → Global

We do not use the Cisco VPN client anywhere but my concern would be SSL Client remote access (which I assume uses their own individual SSL certificates generated when they were provisioned).

So a couple of questions.

  1. What is the least disruptive way to renew my wildcard certificate?
  2. What might break after the renewal?

Note that this is a simple renewal - no new CSR and nothing being rekeyed.



This thread was automatically locked due to age.
Parents
  • It looks like the only place you need to worry about, Kipland, is the certificate selection in your "Web Store" Virtual Webserver.  From whom did you purchase your wild card cert?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • It looks like the only place you need to worry about, Kipland, is the certificate selection in your "Web Store" Virtual Webserver.  From whom did you purchase your wild card cert?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hey Bob -- you can call me Kip. Feel like we are old friends here now.

    The wildcard cert was purchased and recently renewed at GoDaddy for 2 more years (no more 3 year certs from them). I don't think the webstore virtual webserver is even really used (before my time on that config) since we use HAProxy for all load balancing and reverse proxy. My concern is that I don't accidentally lock myself out of web admin or require any changes to local SSL Remote Access or any IPsec tunnels. I also need to keep the UserPortal going (although I have it locked down only to specific remote networks). I'm also way behind on the firmware updates on that one because it's the primary firewall for one of our colocated environments and has not been down for awhile. It's a SG310 running 9.413-4 and has been up now for 405 days.

    I do see the webstore virtual server is on, though, and agree that I must update the cert there so my question really is the correct process. I assume I must delete the existing cert as there is no other option. All my certs are in full PEM format (cert, chain certs, private key) and I see I must upload new certs in PKCS12 format (PEM say's cert only). Should the PKCS12 file contain everything in the PEM file or just the cert and key? I see all of the CA certs under the Certificate Authority Tab but not sure if they were each extracted from the PEM, converted to PKCS12, and uploaded separately. I'm just used to creating a single PEM file with everything in it and uploading to each of my HAProxy servers for SSL offloading.

    1. I assume doing this will NOT affect any SSL Remote access certificates as those are unique to each remote access user and think they use the Sophos self-signed CA.
    2. I assume doing this will NOT affect any IPsec configurations as these don't use SSL/TLS.
    3. I'm hoping this will not affect the User Portal since I see no HTTPS configuration relevant to that specifically.
    4. I assume this WILL affect WebAdmin as it currently uses the wildcard certificate and CA certificates.
    5. I assume this WILL affect Webserver Protection and the Webstore virtual server but the SSL configuration is centralized there anyway.
  • Hey back, Kip!

    1. & 2. - Correct

    3. User Portal and WebAdmin use the same cert.  If you have the expiring cert selected on the 'HTTPS Certificate' tab, selecting the new cert there solves the problem for both.

    4. Yes, I see that now.

    5. Again, just select the new cert in "Webstore."

    A PKCS#12 includes the cert and the CA, in the UTM, a PEM can include only one.  You might be able to upload only the cert PEM if the new cert uses the same CA as the expiring one.  I'm not familiar with HAProxy, but it sounds like it handles uploading certs in a different way.  Concatenating cert, intermediate CA, CA and private key is done before using OpenSSL to create a PKCS#12 file that the UTM can upload.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA