My statement above is factually inaccurate, which I learned about a week ago while learning how to fully utilize
via cli. You can verify the speed of encryption/decryption on your hardware by issuing the command
[which can be run more granularly as well]. More likely than not, the Sophos hardware will be far faster at processing the encryption/decryption requests. This is also an extremely helpful command in determining what digest and encryption method to use (anything lower than RSA1024/AES128/SHA256 should not be utilized).
I also chose to build my own openssl.cnf from scratch to allow for a more cohesive learning experience. I've included it here to make it easier for anyone wishing to utilize their own certs and CAs. I've also included the 5 commands you'll need to utilize at the bottom of the file, as well as uploaded the config to
Code:
##::[[--- Windows OpenSSL Config ---]]::##
# For *nix/bsd users:
# Use notepad to change all backslashes " \ " to forward slashes " /". You
# may also wish to utilize lowercase only, and if you choose to utilize
# spaces in cert names, ensure you utilize the proper break format,
# i.e. "./Sophos\ UTM\ CA.crt"
# For Sophos users:
# Prior to generating user certs, ensure you change "x509_extensions = usr_cert_dn"
# to "usr_cert_not_dn" This should result with "RFC822 Name = user email"
# in the SubjectAlternativeName of the final user.crt/user.pem details.
# Without this, it will be impossible to authenticate to VPNs on Sophos
#####################################################################
##----- Establish working directory -----##
#####################################################################
dir = .
#####################################################################
##----- Establish CA Profile and Policy -----##
#####################################################################
[ default ]
sophos = Sophos UTM CA
[ ca ]
default_ca = CA_default
#####################################################################
[ CA_default ]
certs = $dir\Certs
new_certs_dir = $dir\Certs
database = index
RANDFILE = $dir\rand
serial = serial
crldir = $dir\CRL
crlnumber = crlnumber
crl = "$crldir\$sophos.crl"
default_crl_days = 3650
certificate = "$dir\$sophos.crt"
private_key = "$dir\$sophos.key"
default_days = 3650
default_md = sha512
preserve = no
x509_extensions = usr_cert_dn
copy_extensions = copy
unique_subject = no
policy = policy_match
name_opt = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
cert_opt = ca_default
#####################################################################
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = supplied
emailAddress = optional
[ policy_supply ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
commonName = optional
emailAddress = optional
#####################################################################
##----- Establish Certificate Options -----#
#####################################################################
[ req ]
default_bits = 2048
default_keyfile = private.key
# encrypt_key = yes
default_md = sha256
string_mask = utf8only
utf8 = yes
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req
x509_extensions = v3_ca
copy_extensions = copy
string_mask = utf8only
#####################################################################
[ req_distinguished_name ]
countryName = Country
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State
localityName = Locality
0.organizationName = Organization
organizationalUnitName = Organizational Unit
commonName = Common Name
commonName_max = 64
emailAddress = Email
emailAddress_max = 64
countryName_default = US
stateOrProvinceName_default = State
localityName_default = Locality
0.organizationName_default = Sophos UTM
organizationalUnitName_default = LAN
#####################################################################
##----- Establish SubjectAltName Profiles -----##
#####################################################################
[ alt_asrock ]
IP.1 = 192.168.2.4
IP.2 = 192.168.2.5
DNS.1 = C2750D4I-IPMI
DNS.2 = C2750D4I-eth0
DNS.3 = C2750D4I-eth1
[ alt_freenas ]
IP.1 = 192.168.2.13
IP.2 = 192.168.2.130
DNS.1 = Free.NAS
DNS.2 = FreeNAS.igb0
DNS.3 = FreeNAS.igb1
[ alt_openwrt ]
IP.1 = 192.168.2.2
DNS.1 = OpenWRT.WRT1900
[ alt_owncloud ]
IP.1 = 192.168.2.150
DNS.1 = OwnCloud.FreeNAS
[ alt_sophos ]
IP.1 = 192.168.2.1
DNS.1 = SophosUTM
DNS.2 = your.ddns.com
[alt_supermicro ]
IP.1 = 192.168.2.3
DNS.1 = SuperMicro.IPMI
DNS.2 = SuperMicro-IPMI
[ alt_vpnserver ]
IP.1 = 10.0.0.1
DNS.1 = your.ddns.com
[ req_attributes ]
# challengePassword =
# challengePassword_min = 4
# challengePassword_max = 20
#####################################################################
##----- Establish Default Certificate Profiles -----##
#####################################################################
[ crl_ext ]
issuerAltName = issuer:copy
authorityKeyIdentifier = keyid:always,issuer:always
[ usr_cert_dn ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = clientAuth, emailProtection
[ usr_cert_not_dn ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
subjectAltName = email:copy
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = clientAuth, emailProtection
#####################################################################
[ v3_ca ]
basicConstraints = CA:TRUE, pathlen:0
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
#####################################################################
##----- Establish Custom Certificate Profiles -----##
#####################################################################
[ v3_asrock ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_asrock
[ v3_freenas]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_freenas
[ v3_openwrt ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_openwrt
[ v3_owncloud ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_owncloud
[ v3_sophos ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_sophos
[ v3_supermicro ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_supermicro
[ v3_vpnserver ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_vpnserver
#####################################################################
#--------------------------------------------------------------------
##----- OpenSSL Commands -----##
#--------------------------------------------------------------------
#####################################################################
#--- Prerequisistes ---#
# Create "serial" file: echo 00 > serial
# Create "crlnumber" file: echo 00 > crlnumber
# Create "index" file, leave blank
# Create "rand" file, leave blank
# ENCRYPT_KEY is currently commented out, however, it's recommended to
# set it to yes for any use other than a webserver/vpn server, etc.
# Provided you utilize the SubjectAltName section, the Common Name is not
# required to be the IP/DNS, and can be whatever name you wish it to be
#####################################################################
#--------------------------------------------------------------------
#####################################################################
#--- Generate CA ---#
# openssl req -x509 -new -sha512 -nodes -days 3650 -extensions v3_ca -newkey rsa:4096 -keyout ".\Sophos UTM CA.key" -out ".\Sophos UTM CA.crt" -config .\openssl.cnf
#--- Generate CRL Cert ---#
# openssl ca -config .\openssl.cnf -gencrl -keyfile '.\Sophos UTM CA.key' -cert '.\Sophos UTM CA.crt' -out '.\Sophos UTM CA.crl.pem'
#--- Convert CRL Cert to DER CRL ---#
# openssl crl -inform PEM -in '.\Sophos UTM CA.crl.pem' -outform DER -out '.\Sophos UTM CA.crl'
#--- Request ---#
# openssl req -out '.\OwnCloud.csr' -new -days 3650 -sha256 -newkey rsa:2048 -keyout '.\OwnCloud.key' -config .\openssl.cnf -extensions v3_owncloud
#--- Sign ---#
# openssl x509 -req -sha256 -days 3650 -in '.\OwnCloud.csr' -CA '.\Sophos UTM CA.crt' -CAkey '.\Sophos UTM CA.key' -CAserial .\serial -out '.\OwnCloud.crt' -extfile .\openssl.cnf -extensions v3_owncloud
#--- Export ---#
# openssl pkcs12 -export -out '.\OwnCloud.p12' -inkey '.\OwnCloud.key' -in '.\OwnCloud.crt' -certfile '.\Sophos UTM CA.crt'
#####################################################################
#--------------------------------------------------------------------
#####################################################################
##---- Index File -----##
#--------------------------------------------------------------------
# If you wish to maintain the index file automatically, you'll need to
# use "openssl ca" to sign certs.
# You can manually maintain the index file, by inputting 1 cert entry
# per line in the following format:
# V 251201090544Z 0a unknown /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
# 1 2-----------> 4-> 5-----> 6--------------------------------------------------------------------------------------------------->
# 1. V [Valid] R [Revoked] E [Expired]
# 2. Expiration Date [Format: YYMMDDHHMMSS followed by "Z"]
# 3. Revocation Date [(Empty if not revoked) Format: YYMMDDHHMMSSZ,reason]
# 4. Serial # [0a is hex for 10]
# 5. unknown [Certificate filename or literal string "unknown"]
# 6. Distinguished Name
#--------------------------------------------------------------------
#####################################################################
##----- Key Usage -----##
#--------------------------------------------------------------------
#--- digitalSignature ---#
# Certificates with this flag set can be used to apply a digital signature.
# Digital signatures are often used for entity authentication and data
# origin authentication with integrity.
#--- nonRepudiation ---#
# Certificates with this flag set can be used to sign data as above but the
# certificate public key may be used to provide non-repudiation services
# preventing the signing entity from falsely denying some action.
#--- keyEncipherment ---#
# Certificates with this flag set may be used by the subject to encrypt a
# symmetric key which is then transferred to the target, decrypted, and
# subsequently used to encrypt and decrypt data sent between the two entities.
#--- dataEncipherment ---#
# Certificates with this flag set can be used by the subject to encrypt and
# decrypt actual application data.
#--- keyAgreement ---#
# Certificates with this flag set enable the subject to use a key agreement
# protocol, such as Diffie-Hellman, to establish a symmetric key with a target
# that may then be used to encrypt and decrypt data sent between the two entities
#--------------------------------------------------------------------
#####################################################################