26 June 2014

Sophos UTM - How to generate a CSR (Certificate Signing Request) sign and install an official X509v3 certificate

Log in to the appliance via SSH and do the following

Switch the directory:

cd /home/login

Create the openvpn config file: 

cat /etc/ssl/openssl.cnf |grep -v SUBJECT_ALT_NAME > ./openssl.config


Generate the CSR:

openssl req -config ./openssl.config -new -newkey rsa:2048 -out

Type twice the certificate password (min 8 chars)
Insert the needed information when asked from the generation script (country, dept, ecc)


When the procedure is complete open the generated file:

vi /home/login/www.domain.com.csr

Copy and paste the CSR code to the certification authority interface.

To verify your CSR use this tool:


Convert the certificate to a PKCS12 chain in order to import everything (private and public keys) into the Sophos box

openssl pkcs12 -export -out certificateexportfile.pfx -inkey privkey.pem -in casignedcertificate.crt -certfile carootcertificate.crt

privkey.pem is the private key file in cd /home/login,
casignedcertificate.crt is the public certificate file signed from your CA,
carootcertificate.crt is the root/intermediate certificate of your CA

Now import the pfx file into the Appliance via Webadmin - Site to Site VPN - Certificates, and and select the certificate on the drop-down list under SMTP - Advanced - TLS Certificate

No comments:

Post a Comment