Sophos UTM can now automatically request and renew certificates from Let's Encrypt. This function is particularly useful for web server protection (WAF). The certificate for the various WAF services is thus managed by the UTM and renewed accordingly before it expires.
I have already received several requests from people who would like to use the WAF certificate for other internal services. Most of the requests are of course related to Exchange servers. The Exchange URLs were configured with the same host name, so the WAF certificate would also be valid on the internal Exchange server. Here is an example of the Exchange configuration:
In this case, UTM Webserver Protection is also configured to the host name "mail.frankysweb.de":
Connections from the Internet are routed to the Exchange server using Sophos UTM WAF. Internally, the IP of the Exchange server is resolved directly using DNS Split Brain. In this case, it is also possible to use the Sophos WAF certificate for Exchange (or other services).
In order for the Let's Encrypt certificate of the UTM to be used for other services, it must first be exported from the UTM. This can be done manually via the GUI:
However, Let's Encrypt certificates are only valid for 90 days, so manual export from the UTM and import to the respective internal target systems is usually not a practical option. However, this process can be automated using the Sophos REST API and a small script.
Here is a small example of a PowerShell script that retrieves a certificate via Sophos REST API and converts it into a PFX file (see explanation of the script below):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
param( [Parameters(Position=0, Mandatory=$true)] $UTMAddress = "utm.domain.local", [Parameters(Position=1, Mandatory=$true)] [string]$UTMApiToken = "xxXXxxxxXXXXXXXXXX", [Parameters(Position=2, Mandatory=$true)] [string]$CertREF = "REF_0815abcd", [Parameters(Position=3, Mandatory=$false)] [string]$OpenSSLPath = "C:\Program Files (x86)\OpenSSL\bin\openssl.exe", [Parameters(Position=4, Mandatory=$false)] [string]$PFXFilePath = $PSScriptRoot )#Set TLS Settings (Only TSLv1.1 and TLSv1.2)[System.Net.ServicePointManager]::SecurityProtocol = @("Tls12","Tls11","Tls")#Build Credentials$securePassword = ConvertTo-SecureString $UTMApiToken -AsPlainText -Force$credential = New-Object System.Management.Automation.PSCredential("token", $securePassword)#UTM API Call to get certificate and private key$UTMAPICall = "https://$UTMAddress" + ":4444/api/objects/ca/host_key_cert/$CertREF"try { $UTMCertResponse = Invoke-RestMethod -Method GET -Uri $UTMAPICall -Credential $credential }catch { write-error "Error getting certificate from UTM" exit }#Write private key and certificate to temp filestry { $TempCertFile = "$env:temp\" + $CertREF + ".cer" $TempKeyFile = "$env:temp\" + $CertREF + ".key" $UTMCertResponse.certificate | set-content $TempCertFile $UTMCertResponse.key | set-content $TempKeyFile }catch { write-error "Error writing temp files" exit } #Build PFX File from certificate and keytry { $PFXFileNameAndPath = "$PFXFilePath" + "\" + "$CertREF" + ".pfx" . $OpenSSLPath pkcs12 -export -in $TempCertFile -inkey $TempKeyFile -out $PFXFileNameAndPath -password pass:$UTMApiToken remove-item $TempCertFile -force remove-item $TempKeyFile -force }catch { write-error "Error building PFX File" } |
The script requires a few parameters to work. The parameter "UTMAddress" should be clear. The connection to the REST Api works via API token (UTMApiToken), the token can be created in the WebAdmin of the UTM:
The REF ID of the certificate is required so that the corresponding certificate can be retrieved by the UTM. The REF ID can be found in the "Let's Encrypt" live log, for example:
The following entry from the live log shows a renewal process and the corresponding REF ID of the certificate (blue box):
The Sophos REST API provides the private key and the certificate. This example script generates a PFX file so that Windows systems can do something with it. The conversion to the PKCS12 format (PFX file) is carried out using OpenSSL. OpenSSL must therefore be present on the computer and the corresponding path to the EXE must be passed (OpenSSLPath). OpenSSL for Windows can be downloaded here:
The PFX file can in turn be imported onto Windows target systems and used for Exchange and IIS Server, for example.
The PFXFilePath parameter can be used to specify the path for the exported certificate in PKCS12 format. The password for the PFX file corresponds to the UTMApiToken.
Here is an example of how to call the script:
Importing or assigning the certificate to the target system is not part of this script. However, with a little PowerShell know-how, the script is easy to extend.
If you are interested in an automated export and import for Exchange Server, please leave a short comment.
Note 15.07.19A version for export and import for WAF and Exchange Server can be found here:
Sophos UTM: Export WAF certificate using PowerShell (Exchange version)