Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 0 subscribers
  • Views 31491 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate error when uploading to Sophos Email Appliance

SGICT

Hi,

I've got a .pem certificate to upload to the Sophos Email Appliance. When i try to upload it, it errors with

"Invalid Chain Cert".

It is a UC Certificate from Comodo. I've tried uploading trust certificate authority but it says its already there or duplicated.

The .pem file contains the certificate AND the private key that was generated from another server.

Looking within the .pem I can see the intermediate certificate.

This certificate was originally generated by Exchange 2010, ive exported it as .pfx and then used OpenSSL to convert it to .pem.

If I didnt do that process then the .pfx was rejected by Sophos as invalid certificate.

Any help or pointers would be great

:25933


This thread was automatically locked due to age.
  • 0

    FIXED

    If you have a UC Certificate (Unified Communications) for Exchange 2010 and wish to use this in your Sophos Email Appliance then here's what you need to do:

    **Sophos don't support UC Certificates at time of writing, so any issues and you're on your own and I take no liability/warranty on this.**

    1) Goto your Exchange server where you created the CSR and installed the certificate - usually this is your first CAS server

    2) Goto "MMC", add the snap-in of "Certificates (Local computer)"

    3) Within that, goto Personal Store and you should see your UC Certificate (make sure it has a little key in the icon)

    4) Right click, "All Tasks", "Export".

    5) Export the Certificate
    6) Click next to the start of the wizard

    7) Click "Yes, export the private key"

    8) Leave it as "Personal Information Exchange - PKCS #12 (.pfx) and do not tick any of the sub items else this causes Sophos box to error.

    9) Give it a password

    10) Give it a file name

    11) Click "Finish"

    Now on your computer on the same network

    12) Install OpenSSL Light by Shining Productions - you may need to follow their guide on installing that.

    13) Fire up CMD in elevated mode - dont have too but for the sake of ruling out issues.

    14) Load OpenSSL by going to the directory and type "OpenSSL"

    15) Copy to your local machine the exported certificate and key that you've just done

    15) Enter the following command

    pkcs12 -in [PATH of Exported certifcate] -out [Path of destination of new certificate] -nodes

    E.g. pkcs12 - in c:\exported.pfx -out c:\converted.pem -nodes

    16) It'll ask for the password when you exported it

    17) It'll report "MAC verified OK"

    18) Goto your Sophos Appliance portal and upload the certiticate in System -> Certificates.

    19) That's it!

    Note on SPX Encryption Portal

    To get the UC Certificate working you need too

    1) Now goto Policy -> Encryption -> Portal (Configure).

    2) Because its a UC Certificate then it is likely Sophos box will choose the first entry in the certificate which might not be the one you want. Simply click "Specify a custom hostname:" and type in the desired address/entry in your certificate to use for the SPX Portal.

    That should now use the correct entry when visitors come to your portal.

    :25963
  • 0

    I am having this exact same issue, i have tried the same steps above, but still getting the cert chain error....

    any ideas?

    :35885
  • 0

    i managed to sort this out after sophos support asked how i was importing the intermediate cert, IE the .pem file included the cert, inter, and root cert. So i edited the .pem file with wordpad and removed the last 2 cert sections, leaving just the 1st cert in, and saved the file. I then imported this into the es1000 and it worked fine. 

    the issue i think is because the es1000 by default had the same root cert as what was included in my .pem file!

    :35897
  • 0

    We have a wildcard cert we'd like to use with our ES1000.  Will this process work the same or is there another manner in which to use the wildcard?

    :42730
Unfiltered HTML