Learning has never been so easy!
Jan 14, 2015 Allow torrent through sophos utm 9. By laurence3176. On Jul 18, 2014 at 08:16 UTC. Next: Exe warnings on web browsers - Sophos Central. Get answers from your peers along with millions of IT pros who visit Spiceworks. Hi, I have been having a nightmare allowing transmission through the sophos utm, it runs first into an old. Sophos detects this file as Troj/FakeAle-OZ. This malware attempts to download from certain sites which seem to have been taken down (access to which is already blocked by Sophos’s web appliance).
This is a quick guide to install a custom signed certificate into a Sophos UTM device.
9 Steps total
Step 1: Prerequisites
This document assumes two things.
1. That you already have an Enterprise root CA or Standalone CA. The CA should have web services.
2. You have open SSL installed.
1. That you already have an Enterprise root CA or Standalone CA. The CA should have web services.
2. You have open SSL installed.
Technet on CA services
https://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx
Setting up Web-Enrolement
http://www.rickygao.com/how-to-create-a-new-certificate-template-for-ca-web-enrollment-page/
OpenSSL:
https://www.openssl.org/community/binaries.html
https://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx
Setting up Web-Enrolement
http://www.rickygao.com/how-to-create-a-new-certificate-template-for-ca-web-enrollment-page/
OpenSSL:
https://www.openssl.org/community/binaries.html
Step 2: Creating our Key
I will be using a 256 bit AES key.
I will naviage to my OpenSSL directory in command and type the following.
openssl genrsa -aes256 -out mykeyfile.key 2048
Type in the password and then verify the password.
Next we will create our CSR
I will naviage to my OpenSSL directory in command and type the following.
openssl genrsa -aes256 -out mykeyfile.key 2048
Type in the password and then verify the password.
Next we will create our CSR
Step 3: Creating the CSR
Staying in the command prompt window we will use OpenSSL to generate our CSR. That command is:
openssl req -new -key mykeyfile.key -out myCSR.csr
Then type the password you entered for your Keyfile.
You will then fill out the requested information.
Note the common name should be the IP of the Device or its FQDN. Whichever you are going to be using.
openssl req -new -key mykeyfile.key -out myCSR.csr
Then type the password you entered for your Keyfile.
You will then fill out the requested information.
Note the common name should be the IP of the Device or its FQDN. Whichever you are going to be using.
Step 4: Generating the Certificate
Go to your web AD CS page usually at
server/certsrv
Hit request a new certificate.
Then advanced Certificate request.
Select your web server template to use.
Open the CSR file with notepad. (don't use MS Word)
Copy the entire contents of the file into the saved request box. Including the Begin certificate request and the end certificate reqest part.
Then hit submit.
server/certsrv
Hit request a new certificate.
Then advanced Certificate request.
Select your web server template to use.
Open the CSR file with notepad. (don't use MS Word)
Copy the entire contents of the file into the saved request box. Including the Begin certificate request and the end certificate reqest part.
Then hit submit.
Step 5: Download Your Signed Certificate
Select Base 64 Encoded, then hit download certificate.
Step 6: Now we will make our PKCS#12 file to upload to the UTM
Copy the .cer file we just downloaded into the working directory of OpenSSL.
You will enter the following command.
openssl pkcs12 -export -in mycert.cer -inkey mykeyfile.key -out myp12file.p12
You will enter the following command.
openssl pkcs12 -export -in mycert.cer -inkey mykeyfile.key -out myp12file.p12
You will enter the password we used to protect our keyfile.
Then you will enter a new export password.
Then confirm the password.
Now we have the .P12 file to upload to the UTM.
Then you will enter a new export password.
Then confirm the password.
Now we have the .P12 file to upload to the UTM.
Step 7: Upload the Certificate to the UTM
Login to the UTM device.
Go to Site-to-Site VPN, then Certificate management.
Hit New Certificate.
Select upload under method.
Set File type as PKCS#12
Hit the file folder and browse to the .p12 file we created.
Enter the password we set when the file was created.
Then hit Save.
Go to Site-to-Site VPN, then Certificate management.
Hit New Certificate.
Select upload under method.
Set File type as PKCS#12
Hit the file folder and browse to the .p12 file we created.
Enter the password we set when the file was created.
Then hit Save.
Step 8: Setting the Correct Web admin Certificate
Next,
Navigate to Management -> Webadmin Settings -> Https Certificate.
Select the new Certificate we created. then hit apply.
This should now reload the WebAdmin Console.
Navigate to Management -> Webadmin Settings -> Https Certificate.
Select the new Certificate we created. then hit apply.
This should now reload the WebAdmin Console.
Step 9: Confirming
If all goes well we should now have a nice green lock on our web browser instead of the annoying red X.
Hopefully this helps in getting rid of all those pesky site not trusted warnings.
References
- Sophos KB Article