26 June 2014
Sophos UTM - How to generate a CSR (Certificate Signing Request) sign and install an official X509v3 certificate
Log in to the appliance via SSH and do the following
Switch the directory:
Create the openvpn config file:
cat /etc/ssl/openssl.cnf |grep -v SUBJECT_ALT_NAME > ./openssl.config
Generate the CSR:
openssl req -config ./openssl.config -new -newkey rsa:2048 -out host.domain.com.csr
Type twice the certificate password (min 8 chars)
Insert the needed information when asked from the generation script (country, dept, ecc)
When the procedure is complete open the generated file:
Copy and paste the CSR code to the certification authority interface.
To verify your CSR use this tool:
Convert the certificate to a PKCS12 chain in order to import everything (private and public keys) into the Sophos box
openssl pkcs12 -export -out certificateexportfile.pfx -inkey privkey.pem -in casignedcertificate.crt -certfile carootcertificate.crt
privkey.pem is the private key file in cd /home/login,
casignedcertificate.crt is the public certificate file signed from your CA,
carootcertificate.crt is the root/intermediate certificate of your CA
Now import the pfx file into the Appliance via Webadmin - Site to Site VPN - Certificates, and and select the certificate on the drop-down list under SMTP - Advanced - TLS Certificate
16 June 2014
How to Fix Exchange Error EventID 12014 - Microsoft Exchange could not find a certificate that contains the domain name mail.domain.local in the personal store on the local computer
Microsoft Exchange could not find a certificate that contains the domain name mail.domain.local in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector Default EXCHANGE with a FQDN parameter of mail.domain.local. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.
The SMTP server is looking for a valid certificate name to use for TLS encryption.
If you do not use Exchange Server embedded mail encryption services you can generate a self signed certificate for SMTP to stop the server display error messages.
Run the following command in powershell and create the certificate for the SMTP service.
New-ExchangeCertificate -DomainName mail.domain.public, servername.domain.local -Services SMTP
Enable-ExchangeCertificate -Services SMTP
Followed by the certificate Thumbprint when asked from the powershell.
Open the MMC Load the Certificates Snap-In for the Local Computer.
Export the generated certificate without the private key from personal certificates.
Still in the same MMC, import the certificate under the folder Trusted Root Certification Authorities directly on the Exchange server.