Sophos utm certificate


#1

I just want to ask about let’s encrypt ssl certificate
I have a proxy “Sophos UTM”
sophos generate a certificate which each user has to install to avoid “ca error”
I wonder if I can create a let’s encrypt ssl certificate for sophos and when I upload it in it , there will be no “ca error”
is this possible ?


#2

Depends, can you install “custom” certificates to your Sophos device? And what kind of proxy is it? Reverse? Or forward?

Because I think what is going on is the following:

You’ve got a forward proxy, your Sophos device. Clients trying to connect to a (HTTPS) site don’t actually connect to the real server from that site, but to your Sophos. Because of HTTPS, the client requires a certificate. But your Sophos can’t serve the actual certificate from the sites server, because it doesn’t know the private key (this is the reason why HTTPS is secure). So your Sophos generates a certificate “on the fly” for the site in question, signed by some sort of custom root certificate from Sophos (the certificate which each user has to install). So the certificate presented to the client isn’t the “real” certificate, but a custom Sophos certificate, only for the HTTPS connection between the client and the proxy,

Unfortunately (for you), Let’s Encrypt can’t help you out in the above scenario. The whole idea of the public key infrastructure, of which Let’s Encrypt is a part, is the PROTECTION against scenarios such as described above, i.e., a “man in the middle” who can read every byte of the connection.

For a Let’s Encrypt certificate to be issued, you’ll need to prove you’ve got control over a certain domain name. If a user tries to connect, for example, to “example.com”, your Sophos has to generate a certificate on the fly for that domain. That can never be a Let’s Encrypt certificate, because you don’t have control over a random domain on the internet.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.