26 June 2014

Sophos UTM - How to generate a CSR (Certificate Signing Request) sign and install an official X509v3 certificate




Log in to the appliance via SSH and do the following
 


Switch the directory:

cd /home/login

Create the openvpn config file: 


cat /etc/ssl/openssl.cnf |grep -v SUBJECT_ALT_NAME > ./openssl.config



 

Generate the CSR:

openssl req -config ./openssl.config -new -newkey rsa:2048 -out
host.domain.com.csr

Type twice the certificate password (min 8 chars)
Insert the needed information when asked from the generation script (country, dept, ecc)

 

When the procedure is complete open the generated file:

vi /home/login/www.domain.com.csr

Copy and paste the CSR code to the certification authority interface.





To verify your CSR use this tool:

https://ssltools.websecurity.symantec.com/checker/



Convert the certificate to a PKCS12 chain in order to import everything (private and public keys) into the Sophos box

openssl pkcs12 -export -out certificateexportfile.pfx -inkey privkey.pem -in casignedcertificate.crt -certfile carootcertificate.crt


Where:
privkey.pem is the private key file in cd /home/login,
casignedcertificate.crt is the public certificate file signed from your CA,
carootcertificate.crt is the root/intermediate certificate of your CA


Now import the pfx file into the Appliance via Webadmin - Site to Site VPN - Certificates, and and select the certificate on the drop-down list under SMTP - Advanced - TLS Certificate

16 June 2014

How to Fix Exchange Error EventID 12014 - Microsoft Exchange could not find a certificate that contains the domain name mail.domain.local in the personal store on the local computer

Error:

Microsoft Exchange could not find a certificate that contains the domain name mail.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default EXCHANGE with a FQDN parameter of mail.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.



Cause:


The SMTP server is looking for a valid certificate name to use for TLS encryption.

If you do not use Exchange Server embedded mail encryption services you can generate a self signed certificate for SMTP to stop the server display error messages.



Solution:


Run the following command in powershell and create the certificate for the SMTP service.


New-ExchangeCertificate -DomainName mail.domain.public, servername.domain.local -Services SMTP


and

Enable-ExchangeCertificate -Services SMTP

Followed by the certificate Thumbprint when asked from the powershell.


Open the MMC Load the Certificates Snap-In for the Local Computer.

Export the generated certificate without the private key from personal certificates.

Still in the same MMC, import the certificate under the folder Trusted Root Certification Authorities directly on the Exchange server.