Install a subordinate certificate authority (CA) for HTTPS inspection

Create and install a subordinate CA so that you can use one certificate across all your XG Firewall appliances for SSL/TLS scanning.

Introduction

You can use your own certificate with both the DPI engine and when using XG Firewall as a direct web proxy. The configuration steps are as follows:

  • Generate a certificate signing request (CSR).
  • Sign the CSR.
  • Convert the signed CA.
  • Upload the signed CA to XG Firewall.
  • Upload the root CA to the XG Firewall.
  • Configure the HTTPS scanning CA when using the DPI engine.
  • Configure the HTTPS scanning CA when using XG Firewall as a direct web proxy.
  • Confirm the new certificate is used for web traffic.

Generate a certificate signing request (CSR)

Specify the certificate and identification details.

When you send the CSR to a certificate authority, the CA will issue a certificate based on these details.

  1. Go to Certificates and click Add.
  2. For Action, select Generate certificate signing request (CSR).

    The option to generate the CSR on XG Firewall is shown below.


    Certificate signing request option on XG
  3. Specify the certificate details.

    Name

    Description

    Name

    Enter a name.

    Valid until

    Specify the certificate’s validity period.

    Key type

    Select from the following:

    • RSA
    • Elliptic curve

    Key length

    If you’ve set the key type to RSA, select the key length. It's the number of bits used to construct the key.

    Larger keys offer greater security, but it takes longer to encrypt and decrypt data.

    Curve name

    If you’ve set the key type to Elliptic curve, select the curve name.

    Do not select secp521r1 for websites and the XG Firewall web admin console. A version of Google Chrome does not support the curve on certain operating systems.

    Secure hash

    Select the algorithm from the list.

    Key encryption

    Select key encryption if you want to encrypt the private key.

    Passphrase/PSK

    If you select key encryption, enter a passphrase or a pre-shared key and reconfirm.

    Certificate ID

    Select the type of certificate ID to identify the device and specify the ID.

    • DNS: Enter the domain name. The name must resolve to the IP address in the DNS records.
    • IP address: Use this if you want to use a public IP address that you own.
    • Email: Email address of the contact person.
    • DER ASN1 DN [X.509]: Use this if you want a digital certificate.

    Example certificate detail data is shown below, you will need to enter details for your own domain.


    Certificate details
  4. Specify the following identification attributes:

    Name

    Description

    Country name

    Country in which the device is deployed.

    State

    The state within the country.

    Locality name

    Name of the city.

    Organization name

    Name of the certificate owner. Example: Sophos Group

    Organization unit name

    Name of the department to which the certificate will be assigned. Example: marketing

    Common name

    Common name or FQDN. Example: marketing.sophos.com

    Email address

    Contact person’s email address.

    Example ID attributes are shown below, you will need to enter details for your own organization.


    Identification attributes
  5. Click Save.
  6. Download the CSR using the download button.

    The download button is highlighted below.


    Download CSR option on XG

    Your downloaded CSR package should include the:

    • CSR in .csr format.
    • Private key in .key format.
    • Password in .txt format.

    The contents of the CSR are shown below, your own file names will match those entered in the certificate details section previously.


    Example CSR zip file contents

Sign the CSR

You need to create a new certificate that is signed by your root CA certificate.

  1. Sign in to the Microsoft certificate server and select Request a certificate.

    The option is highlighted below.


    Request a certificate option on server
  2. Select Advanced certificate request.

    The option is highlighted below.


    Advanced certificate request option on server
  3. Open the CSR file you downloaded from XG Firewall, and copy the complete content without any extra lines. Select Subordinate Certification Authority for your template.

    The area to paste the CSR content and the correct menu option are highlighted below.


    CSR code and menu certificate template option on server
  4. Download the certificate in DER encoded format.

    The file format and download option are highlighted below.


    Download and encoding option on server

    The downloaded certificate file will look this:


    Certificate file example
  5. Download the root CA you used to sign the certificate.

    The download option is highlighted below.


    Download certificate option on server

Upload the signed CA to XG Firewall

You need to upload the signed CA to XG Firewall to use it for HTTPS scanning.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Enter the following information:
    OptionDescription

    Name

    Enter a name for the certificate.

    Certificate file format

    Choose the format that matches the certificate.

    Certificate

    Click Browse and select the certificate file.

    Private key

    Click Browse and select the private key file downloaded as part of the CSR file. The private key is the .key file.

    CA Passphrase

    Enter the passphrase you used when creating the CSR. This can be found in the Password.txt file downloaded as part of the CSR package.

    The options you should choose are shown below, however your own file names will be different and should match what was specified when you created the CSR.


    Upload CA example
  3. Click Save.

Upload the root CA to XG Firewall

To use the recently uploaded signed CA, you must also add its root CA to the XG Firewall.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Enter a name for the certificate.
  3. For Certificate file format select PEM.
  4. For Certificate, click Browse and select your root CA.

    The options you should choose are shown below, however your own file names will be different and should match the CA you download from the certificate server.


    Certificate file format example
  5. Click Save.

Configure the HTTPS scanning CA when using the DPI engine

You need to configure HTTPS decryption and scanning to use your recently signed CA.

  1. Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.
  2. Under the Re-signing certificate authorities section, select the recently signed CA for Re-sign RSA with.

    The menu options are shown below, the certificate you choose should match the one you uploaded previously.


    Menu for choosing the RSA re-signing certificate
  3. Click Apply.

Configure the HTTPS scanning CA when not using the DPI engine for web traffic scanning

  1. Go to Web > General settings.
  2. Under the HTTPS decryption and scanning section, select the recently signed CA for HTTPS scanning certificate authority (CA).

    The menu options are shown below, the certificate you choose should match the one you uploaded previously.


    Configure HTTPS scanning CA for direct proxy
  3. Select Apply.

Confirm the correct certificate is being used for web traffic

  1. Open a web browser and go to an HTTP website, such as google.com.
  2. Click the padlock icon next to the address bar and select Certificate.
  3. Select Certificate Path.

    An example certificate path is shown below.


    Browser certificate chain
    You should see your newly signed CA being used and the root CA used to sign the subordinate CA.