Lots of firewalls and web-server appliances prefer certificates in PFX Format, in my case I was trying to import a .crt file into a Sophos XG Firewall with no success. This is because the interface of the system didn't allow me to easily supply the certificate, private key, and CA bundle on the import screen. Combining all these items into a single PFX file made the process much easier. I have outlined the process I followed below, I was using a Windows based system, so step 1 may differ if you are using a different operating system, OpenSSL is available for most operating systems.
You will need;
1 - The private key that was provided to you in a zip file when you created the SSL cert at SSLS.com you should have downloaded this txt file contained in a zip file during the creation process. If you do not have the priovate key you will have to click the rekey and reissue button next to the certificate in your account at SSLS.com
2 - The Certificate file (ending in .crt) that was emailed to you after you passed the validation process
3 - The Certification Authority Bundle file (ending in .ca-bundle) that was emailed to you after you passed the validation process (This should be in the same zip file as step 2)
Instructions
1 - Get OpenSSL for Windows
2 - Run the following command, change the paths and file names to suit your requirements
C:\Program Files\OpenSSL-Win64\bin\openssl pkcs12 -export -out C:\SSL\export-MYCERTNAME.pfx -inkey C:\SSL\MYCERTNAME_key.txt -in C:\SSL\MYCERTNAME.crt -certfile C:\SSL\MYCERTNAME.ca-bundle3 - You will be prompted for a password, save this password, you will need to enter it again when importing the pfx file into your sophos firewall
4 - Under the Certificates menu on the Sophos XG Firewall
- Choose PKCS12 in the drop down menu for Certificate file format
- Specify a friendly name for your certificate (I like the include the date, i.e. certname-dd-mm-yy)
- Browse the the location you exported the .pfx file
- Enter the password you saved in step 3
- Click save, wait a few moments and you should get a message saying the import process was successful
You can now create web-server protection rules under Rules and Policies, when you create a firewall rule change the action to "protect with web server protection", after ticking the "HTTPS" check box you you will be able to select the SSL certificate you imported (Note you can edit the domains, this is how you protect multiple websites with a wildcard certificate)
Comments