HTTPS CAs

On the Web Protection > Filtering Options > HTTPS CAs tab you can manage signing and verification certificate authorities (CAClosed Certificate Authoritys) for HTTPS connections.

When you use an intermediate CA as signing CA, the UTM tries to retrieve the parents of that CA and displays the parts of the certificate chain it could retrieve, apart from the root CA.

Signing CA

In this area you can upload your Signing CA certificate, regenerate the Signing CA certificate, or download the existing Signing CA certificate. By default, the Signing CA certificate is created according to the information provided during setup, i.e. it is consistent with the information on the Management > System Settings > Organizational tab—unless there have been any changes applied since.

To upload a new Signing CA certificate, proceed as follows:

  1. Click the button Upload.

    The Upload PKCS#12 Certificate File dialog window opens.

  2. Browse for the certificate to upload.

    Click the Folder icon next to the File box, click Browse in the opening Upload File dialog window, select the certificate to upload and click Start Upload.

    You can only upload certificates in PKCS#12 format which are password protected.

    Note – Sophos UTM only supports certificates using RSAClosed Rivest, Shamir, & Adleman (public key encryption technology) encryption. Certificates with ECClosed Elliptic Curve (public key encryption technology) encryption are not supported.

  3. Enter the password.

    Enter the password twice into the corresponding fields and click Save.

    The new Signing CA certificate will be installed.

To regenerate your Signing CA certificate, proceed as follows:

  1. Click the button Regenerate.

    The Create New Signing CA dialog box opens.

  2. Change the information.

    Change the given information according to your needs and click Save.

    The new Signing CA certificate will be generated. The Signing CA information in the Signing CA area will change accordingly.

To download the Signing CA certificate, proceed as follows:

  1. Click the button Download.

    The Download Certificate File dialog window opens.

  2. Select the file format to download.

    You can choose between two different formats:

    • PKCS#12: This format will be encrypted, so enter an export password.
    • PEM: Unencrypted format.
  3. Click Download.

    The file will be downloaded.

If you use certificates for your internal webservers signed by a custom CA, it is advisable to upload this CA certificate to WebAdmin as Trusted Certificate Authority. Otherwise users will be prompted with an error message by the Web Filter claiming to be confronted with an untrustworthy server certificate.

To facilitate supplying client PCs with the proxy CA certificate, users can download the certificate themselves via http://passthrough.fw-notify.net and install it in their browser. The website request is directly accepted and processed by the proxy. It is therefore necessary to enable the Web Filter on the Web Protection > Web Filtering > Global tab first.

Note – In case the proxy's operation mode is not Transparent Mode the proxy has to be enabled in the users' browser. Otherwise the certificate download link will not be accessible.

Alternatively, if the User Portal is enabled, users can download the proxy CA certificate from the User Portal, tab HTTPS Proxy.

Preventing HTTPS Problems

When using HTTPS, Windows system programs like Windows Update and Windows Defender will not be able to establish connections because they are run with system user rights. However, this user, by default, does not trust the proxy CA. It is therefore necessary to import the HTTPS proxy CA certificate for the system user. Do the following:

  1. In Windows, open the Microsoft Management Console (mmc).
  2. Click on the File menu and then Add/Remove Snap-in.

    The Add or Remove Snap-ins dialog window opens.

  3. Click Add at the bottom of the window.

    The dialog window Add Standalone Snap-In opens.

  4. Select Certificates from the list and click Add.

    A wizard appears.

  5. Select Computer account and click Next.
  6. Make sure that Local computer is selected and click Finish and then Close.

    The first dialog window now contains the item Certificates (Local Computer).

  7. Click OK.

    The dialog window closes and the Console Root now contains the item Certificates (Local Computer).

  8. In the Console Root window on the left open Certificates > Trusted Root Certification Authorities, right-click Certificates and select All Tasks > Import from the context menu.

    The import dialog wizard opens.

  9. Click Next.

    The next wizard step is displayed.

  10. Browse to the previously downloaded HTTPS proxy CA certificate, click Open and then Next.

    The next wizard step is displayed.

  11. Make sure that Place all certificates in the following store is selected and click Next and Close.

    The wizard reports the import success.

  12. Confirm the wizard's message.

    The proxy CA certificate is now displayed among the trusted certificates.

  13. Save the changes.

    Click on the File menu and then Save to save the changes on the Console Root.

After importing, the CA is system-widely accepted and connection problems resulting from the HTTPS proxy should not occur.

Verification CAs

This area allows you to manage Verifications CAs. Those are Certificate Authorities you trust in the first place, i.e. websites presenting valid certificates signed by these CAs are regarded trustworthy by the HTTPS proxy.

Local Verification CAs: You can upload Verification CAs additionally to the CA list below. Proceed as follows:

  1. Click the Folder icon next to the Upload local CA field.

    The Upload File dialog window opens.

  2. Select the certificate to upload.

    Click Browse and select the CA certificate to upload. Only PEM certificate extensions are supported.

  3. Upload the certificate.

    Click Start Upload to upload the selected CA certificate.

    The certificate will be installed and displayed in the Local Verification CAs area.

Global verification CAs: The list of Verification CAs shown here is identical to the Verification CAs pre-installed by Mozilla Firefox. However, you can disable one or all Verification CAs of the list if you do not regard them as trustworthy. To revoke a CA's certificate click its toggle switch. The toggle switch turns gray and the HTTPS proxy will no longer accept websites signed by this CA.

Tip – Click the blue Info icon to see the fingerprint of a CA.

The HTTPS proxy will present a "Blocked Content" error page to a client if the CA is unknown or disabled. However, you can create an exception for such pages: either via the Create Exception link on the error page of the Web Filter or via the Web Protection > Filtering Options > Exceptions tab.

Note – When clicking the Create Exception link on the Web Filter error page a login dialog window is presented. Only users with admin rights are allowed to create exceptions.