Skip to content

Get a certificate

The ZTNA gateway needs a wildcard certificate. You can get this certificate by using one of the following:

  • Let's Encrypt.
  • OpenSSL.

Note

You need to know the domain that you'll use for your gateway.

Get a certificate using Let's Encrypt

To get a certificate using Let's Encrypt and the Certbot client, do as follows:

  1. Sign in to the DNS Provider that hosts your gateway domain.
  2. Install Certbot on your device.

    Note

    Certbot doesn’t validate the web server. Instead, it validates domain ownership with a DNS TXT entry.

  3. Enter the following commands to get a certificate and to change to the domain that ZTNA is deployed on.

    sudo certbot certonly \
    --manual \
    --preferred-challenges=dns \
    --server https://acme-v02.api.letsencrypt.org/directory \
    --agree-tos \
    --domain *.domain.com
    

    Certbot returns the TXT record you need and waits.

  4. Add the TXT record to the DNS provider and wait three to five minutes.

  5. Return to Certbot and press Enter to validate your domain ownership.

Certbot generates a certificate and key to be uploaded to Sophos Central. For more information, see https://letsencrypt.org/getting-started/

Get a certificate using SSL

To get a certificate by using Open SSL with your chosen certificate authority (CA), do as follows:

  1. Go to a device with a command-line version of OpenSSL or install it.
  2. Create a Certificate Signing Request (CSR) template text file.

    You'll use this template to generate the CSR and private key.

    Example

    [req]
    default_bits=4096
    prompt=no
    default_md=sha512
    req_extensions=req_ext
    distinguished_name=dn
    
    [dn]
    C=UK
    ST=Oxfordshire
    L=Oxford
    O=ExampleCo
    OU=Example
    emailAddress=admin@example.com
    CN=ztna.example.com
    
    [req_ext]
    subjectAltName=@alt_names
    
    [alt_names]
    DNS.1=*.example.com
    
  3. Run the command below. In this example, ztna.key is the name of the key and ztna.csr is the name of the CSR. mytemplate.txt is the name of the CSR template.

    Example

    opensslreq -newkey rsa:4096 -sha512 -nodes -keyout ztna.key -new -out ztna.csr 
    -config mytemplate.txt
    
  4. Have your ztna.csr signed by your chosen CA and download a Base64 encoded version of the signed certificate from them.

    The steps to do this depend on your CA. Look for their instructions online.

  5. Put your new ztna.key and the signed certificate in a location you can access when using Sophos Central to set up your gateway.

Back to top