26 June 2014

Sophos UTM - How to generate a CSR (Certificate Signing Request) sign and install an official X509v3 certificate




Log in to the appliance via SSH and do the following
 


Switch the directory:

cd /home/login

Create the openvpn config file: 


cat /etc/ssl/openssl.cnf |grep -v SUBJECT_ALT_NAME > ./openssl.config



 

Generate the CSR:

openssl req -config ./openssl.config -new -newkey rsa:2048 -out
host.domain.com.csr

Type twice the certificate password (min 8 chars)
Insert the needed information when asked from the generation script (country, dept, ecc)

 

When the procedure is complete open the generated file:

vi /home/login/www.domain.com.csr

Copy and paste the CSR code to the certification authority interface.





To verify your CSR use this tool:

https://ssltools.websecurity.symantec.com/checker/



Convert the certificate to a PKCS12 chain in order to import everything (private and public keys) into the Sophos box

openssl pkcs12 -export -out certificateexportfile.pfx -inkey privkey.pem -in casignedcertificate.crt -certfile carootcertificate.crt


Where:
privkey.pem is the private key file in cd /home/login,
casignedcertificate.crt is the public certificate file signed from your CA,
carootcertificate.crt is the root/intermediate certificate of your CA


Now import the pfx file into the Appliance via Webadmin - Site to Site VPN - Certificates, and and select the certificate on the drop-down list under SMTP - Advanced - TLS Certificate

No comments:

Post a Comment