Sophos Web Appliance: Installing the Sophos-Generated Certificate Authority in your Users' Browsers

  • Article ID: 42153
  • Rating:
  • 5 customers rated this article 4.6 out of 6
  • Updated: 23 Mar 2012

When HTTPS scanning is enabled in the Configuration|Global Policy|HTTPS Scanning page, you must install the Sophos-generated certificate authority in your users' browsers or they will get error messages whenever they access a secure (HTTPS) site. How the Sophos-generated certificate authority is used and why it is necessary is explained in the HTTPS Scanning section of the Appendix|Appliance Behavior and Troubleshooting|HTTPS Compatibility page in the Web and Management Appliance online help.

This article describes the procedures required to install the Sophos-generated certificate authority in your users' browsers either automatically (via Active Directory Group Policy Objects) or manually. The automatic installation of the Sophos-generated certificate authority only works for users with Internet Explorer on Windows systems, so if your network includes some users who use Firefox or Safari browsers, and for users on non-Windows operating systems, the manual installation procedures must be followed for those users.

The procedures included in this article are:

Automatically Installing the Sophos-generated Certificate Authority

You can automatically install the Sophos-generated certificate authority in all of your users' browsers by creating a Group Policy Object (GPO) on your Active Directory server. This can be created by using either the Microsoft Management Console (MMC) or the Group Policy Management Console (GPMC).

Installing the CA with Group Policy Using the Microsoft Management Console (MMC)

  1. Download the Sophos-generated certificate authority by right-clicking Download a copy of the certification authority in the Configuration|Global Policy|HTTPS Scanning page and choosing the Save Target As option.
  2. Log in to your Active Directory server using a domain administrator account.
  3. Select Start|All Programs|Administrative Tools|Active Directory Users and Computers. The Microsoft Management Console (MMC) is displayed.
  4. To create a domain wide policy, right-click on your domain root Organizational Unit (OU), which is displayed as your domain name, and select Properties from the context menu.
  5. In the <OU_Name> Properties dialog box, click the Group Policy tab.
  6. Click New, and name the policy Web Appliance Certificate Installer, and press Enter.
  7. Select the new Group Policy Object, click Edit. The Group Policy Object Editor is displayed.
  8. In the left configuration options sidebar, expand Computer Configuration|Windows Settings|Security Settings|Public Key Policies. Right-click Trusted Root Certification Authorities, and select Import from the context menu.
  9. In the Certificate Import Wizard, click Next, and in the File to Import page, click Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the WS1000-CA.cer file.
  10. With the full path to the certificate displayed in the File name field, click Next.
  11. Accept the default option, Place all certificates in the following store (Trusted Root Certification Authorities), click Next, and then click Finish and OK.

You have now created the Group Policy Object to install the certificate on all the computers in your domain. The new policy may not take effect immediately on all client machines. By default, the background synchronization processing happens every 90 to 120 minutes at randomized times. Rebooting the client machines will force the synchronization.

You can check that the Group Policy has propagated to all computers in the domain by opening Internet Explorer on a workstation PC, opening Tools|Internet Options|Content|Certificates|Trusted Root Certification Authorities, and ensuring that the Sophos Web Appliance certificate is present.


Installing the CA with Group Policy Using the Group Policy Management Console (GPMC)


The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies management of Group Policy across the enterprise. The GPMC consists of an MMC snap-in and a set of programmable interfaces for managing Group Policy.

  1. Download the Sophos-generated certificate authority by right-clicking Download a copy of the certification authority in the Configuration|Global Policy|HTTPS Scanning page and choosing the Save Target As option.
  2. Log in to your Active Directory server using a domain administrator account.
  3. Select Start|All Programs|Administrative Tools|Group Policy Management. The Group Policy Management Console (GPMC) is displayed.
  4. To create a domain wide policy, right-click on your domain root Organizational Unit (OU), which is displayed as your domain name, and select Create and Link a GPO Here from the context menu. The New GPO dialog box is displayed.
  5. In the Name field of the New GPO dialog box, enter a meaningful name for the policy object, such as Sophos-Generated Certificate Installer.
  6. Right-click the new Group Policy Object, Sophos-Generated Certificate Installer, on the right side of the window, and select Edit from the context menu. The Group Policy Object Editor is displayed.
  7. In the left configuration options sidebar, expand Computer Configuration|Windows Settings|Security Settings|Public Key Policies, right-click Trusted Root Certification Authorities, and select Import from the context menu.
  8. In the Certificate Import Wizard click Next, and in the File to Import page, click Browse and navigate to where you downloaded the certificate authority on your local system, and double-click the WS1000-CA.cer file.
  9. With the full path to the certificate displayed in the File name field, click Next.
  10. Accept the default option, Place all certificates in the following store (Trusted Root Certification Authorities), click Next, and then click Finish and OK.

You have now created the Group Policy Object to install the certificate on all the computers in your domain. The new policy may not take affect immediately on all client machines. By default, the background synchronization processing “only” happens every 90 to 120 minutes (at randomized times). Rebooting the client machines will force the synchronization.

You can check that the Group Policy has propagated to all computers in the domain by opening Internet Explorer on a workstation PC, opening Tools|Internet Options|Content|Certificates|Trusted Root Certification Authorities, and ensuring that the Sophos Web Appliance certificate is present.

Manually Installing the Sophos-Generated Certificate Authority

The following three procedures describe the manual methods for installing the Sophos-generated certificate authority in Internet Explorer, Firefox, and Safari browsers.

Installing the CA in Internet Explorer on Windows


If you want the users in your network to manually install the Sophos-generated certificate authority in their Internet Explorer browsers, have them use the following procedure. This procedure assumes that you, the network administrator, have already downloaded the certificate authority from the appliance by right-clicking Download a copy of the certification authority in the Configuration|Global Policy|HTTPS Scanning page and choosing the Save Target As option, and that you have published it to an internal web server or file share. This procedure assumes that the your users have sufficient access privileges to install the certificate on their local systems.

  1. Obtain the Sophos-generated certificate authority file, WS1000-CA.cer, using whichever of the following options that your network administrator has indicated that you should use.
    1. Download the CA from the web server indicated by your network administrator:
      1. Using Internet Explorer, go to the URL that your network administrator has indicated is the location of the certificate file.
      2. In the File Download window, click Open
    2. Download the CA from shared file server indicated by your network administrator:
      1. Go to the shared file server where your network administrator has indicated that the certificate file is located, and double-click the WS1000-CA.cer certificate file. The Certificate window is displayed.
    Note: If the Open File - Security Warning dialog is displayed, click Open.
  2. Click Install Certificate.
  3. In the Certificate Import Wizard window click Next.
  4. In the Certificate Store window, select Place all certificates in the following store and then click Browse.
  5. In the Select Certificate Store window, select "Trusted Root Certification Authorities" and click OK.
  6. In the Certificate Store window, the Certificate store: shows Trusted Root Certification Authorities. Click Next then click Finish.
  7. In the Security Warning windows, click Yes to install the certificate.
  8. The Certificate Import Wizard will notify you that "The import was successful." Click OK to finish.
  9. Exit Internet Explorer and restart it.

Installing the CA in Firefox on Windows


If you want the users in your network to manually install the Sophos-generated certificate authority in their Firefox browsers on Windows, have them use the following procedure. This procedure assumes that you, the network administrator, have already downloaded the certificate authority from the appliance by right-clicking Download a copy of the certification authority in the Configuration|Global Policy|HTTPS Scanning page and choosing the Save Target As option, and that you have published it to an internal web server or file share. This procedure assumes that the your users have sufficient access privileges to install the certificate on their local systems.

  1. Obtain the Sophos-generated certificate authority file, WS1000-CA.cer, using whichever of the following options that your network administrator has indicated that you should use.
    1. Download the CA from the web server indicated by your network administrator:
      1. Using Firefox, go to the URL that your network administrator has indicated is the location of the certificate file. The Downloading Certificate window is displayed.
      2. On File Download window, click Open
    2. Download the CA from shared file server indicated by your network administrator:
      1. Open Firefox, select File|Open File.
      2. Navigate to the WS1000-CA.cer certificate file and select it.
      3. Click Open. The Downloading Certificate window is displayed.
  2. In the Downloading Certificate window, select the Trust this CA to identify web sites option.

    (Important: If you do not follow this step, you will have to manually delete an improperly-installed Sophos-generated certificate authority. (See also: Sophos Web Applicance: Failure to Click "Trust this CA to identify web sites." in Mozilla Firefox)
  3. Click OK to install the certificate.

Installing the CA in Safari on Mac OS X


If you want the users in your network to manually install the Sophos-generated certificate authority in their Safari browsers on Mac OS X, have them use the following procedure. This procedure assumes that you, the network administrator, have already downloaded the certificate authority from the appliance by right-clicking Download a copy of the certification authority in the Configuration|Global Policy|HTTPS Scanning page and choosing the Save Target As option, and that you have published it to an internal web server.

  1. Obtain the Sophos-generated certificate authority file, WS1000-CA.cer, by downloading it and saving it to your local drive.
  2. Double-click the file or drag and drop it on top of the Keychain Access icon in the Applications|Utilities folder. The Add Certificate window is displayed.
  3. In the Keychain option, select login and click OK.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments