Certificate on the UTM
Out-of-the-box Sophos UTM will generate self-signed certificates for many functions as for the Web proxy signing CA. We would like to use our internal PKI infrastructure consisting of an W2K16 Enterprise RootCA because it_s certificate is trusted automatically by all Windows clients in the domain so there is no need to distribute other certificates by GPO for e.g.
For the webadmin console we used a certificate signed by this RootCA and that works without problem. Because we use SSL scanning we want the web proxy Signing CA to be a intermediate CA of our RootCA. I have generated the certificate and installed it as the certificate for the Signing CA. The installation shows no problem and certificates for websites for which we use SSL scanning are perfectly generated, but the intermediate certificate of the web proxy signing CA is not included in the chain. Because the chain is broken the on-the-fly generated certificates are not trusted.
This website https://community.sophos.com/kb/en-us/115592 suggests this setup should work, but it doesn't.
I did install the RootCA certificate as a local Verification CA. I see that other users are reporting the same problem https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/108203/signing-certificate-loses-chain-when-imported/387030?pi2349=3. I_m really looking for a fix for this to work.