Skip to content

Get a certificate

The ZTNA gateway needs a wildcard certificate. There are different ways to get the certificate, as follows:

  • You can generate a Let's Encrypt certificate from Sophos Central. The certificate generation process is automated, and we manage and renew the certificate for you.
  • You can manually generate a certificate using SSL or Let's Encrypt. You must manage and renew the certificate. See Get a Certificate using SSL and Get a certificate using Let's Encrypt.

Note

You need to know the domain that you'll use for your gateway.

Generate a Let's Encrypt certificate from Sophos Central

You can generate a Let's Encrypt certificate from Sophos Central.

Note

If you use Certificate Authority Authorization (CAA) records on your DNS server, you must add a specific CAA record for the Let's Encrypt certificate authority. This CAA record will authorize Let's Encrypt to issue certificates for your domain.

To generate a Let's Encrypt certificate, do as follows:

  1. In Sophos Central, go to My Products > ZTNA, and click Settings.
  2. Click Domains & Certificates.

  3. Click Add Domain.

    Note

    You can add a maximum of 100 domains.

  4. Type your domain name in the following format: example.com.

  5. Click Add.

    We'll generate a CNAME record for that domain, which will show next to your domain name on Domains & Certificates.

  6. On your DNS server, add the CNAME record as the DNS record for your domain.

    You must claim ownership of the domain by entering the generated CNAME record against the corresponding domain on your DNS server.

    Note

    You must add your domain name to the DNS record in the following format: _acme-challenge.<domain name>.

    Note

    Suppose you already have a DNS record for _acme-challenge.<domain name> on your DNS server with TXT records configured (this could be for other applications). In that case, you must remove those entries when Let's Encrypt certificate generation is in progress for Sophos ZTNA.

  7. On Domains & Certificates, click Validate.

  8. Confirm you've added the CNAME record to your DNS server, and click Validate.

    We validate the ownership of the domain using the CNAME record you entered.

  9. Click Generate LE Certificate.

  10. Read and agree to the Let's Encrypt subscriber agreement.

    This authorizes us to manage your Let's Encrypt certificates.

  11. Click Generate.

    Certificate generation takes around 60 seconds. You can leave the page while generation is in progress.

    This adds your validated domain to your Let's Encrypt certificate. The certificate is generated for all validated domains.

Note

We only generate one Let's Encrypt certificate per account. All the validated domains are a part of the generated certificate. When you add a new domain, you must re-generate the Let's Encrypt certificate.

We manage and renew the Let's Encrypt certificate on your behalf.

You can associate the Let's Encrypt certificate with an existing gateway. If you haven't added a gateway yet, you can do this later.

Associate the Let's Encrypt certificate with your gateway

  1. Go to My Products > ZTNA, and click Gateways.
  2. Click your gateway's name.
  3. Under Domain & certificate, select Automatic (Let's Encrypt).
  4. Click Save.

Existing domains were validated using DNS TXT records. To generate a Let's Encrypt certificate for these domains, you must first add the domains to your DNS server in the new format.

Do as follows:

  1. In Sophos Central, go to My Products > ZTNA, and click Settings.
  2. Click Domains & Certificates.
  3. Click Generate LE Certificate.
  4. Under Add CNAME, copy the CNAME record.

  5. On your DNS server, add the CNAME record as the DNS record for your domain.

    Note

    You must add your domain name to the DNS record in the following format: _acme-challenge.<domain name>.

    Note

    Suppose you already have a DNS record for _acme-challenge.<domain name> on your DNS server with TXT records configured (this could be for other applications). In that case, you must remove those entries when Let's Encrypt certificate generation is in progress for Sophos ZTNA.

  6. Confirm you've added the CNAME record to your DNS server.

  7. Read and agree to the Let's Encrypt subscriber agreement.

    This authorizes us to manage your Let's Encrypt certificates.

  8. Click Continue.

  9. Confirm you've added the CNAME record to your DNS server, and read and agreed to the Let's Encrypt subscriber agreement.

  10. Click Generate.

    Certificate generation takes around 60 seconds. You can leave the page while generation is in progress.

    This adds your validated domain to your Let's Encrypt certificate. The certificate is generated for all validated domains.

    The existing domains and the corresponding CNAME records are displayed in the new format in the table on the Domains and Certificates page.

    Note

    If you have existing domains that weren't validated, you must remove and re-add them, validate them, and re-generate the Let's Encrypt certificate.

We manage and renew the Let's Encrypt certificate on your behalf.

You can associate the Let's Encrypt certificate with an existing gateway. If you haven't added a gateway yet, you can do this later.

Associate the LE certificate with your gateway

  1. Go to My Products > ZTNA, and click Gateways.
  2. Click your gateway's name.
  3. Under Domain & certificate, select Automatic (Let's Encrypt).
  4. Click Save.

Get a Certificate using SSL

To get a certificate by using OpenSSL with your chosen certificate authority (CA), do as follows:

  1. Go to a device with a command-line version of OpenSSL or install it.

  2. Create a Certificate Signing Request (CSR) template text file.

    You'll use this template to generate the CSR and private key.

    Example 
    [req]
default_bits=4096
prompt=no
default_md=sha512
req_extensions=req_ext
distinguished_name=dn

[dn]
C=UK
ST=Oxfordshire
L=Oxford
O=ExampleCo
OU=Example
emailAddress=admin@example.com
CN=ztna.example.com

[req_ext]
subjectAltName=@alt_names

[alt_names]
DNS.1=*.example.com

  3. Run the command below. In this example, ztna.key is the name of the key and ztna.csr is the name of the CSR. mytemplate.txt is the name of the CSR template.

    Example 
    openssl req -newkey rsa:4096 -sha512 -nodes -keyout ztna.key -new -out ztna.csr
-config mytemplate.txt

  4. Have your ztna.csr signed by your chosen CA and download a Base64 encoded version of the signed certificate from them.

    The steps to do this depend on your CA. Look for their instructions online.

  5. Put your new ztna.key and the signed certificate in a location you can access when using Sophos Central to set up your gateway.

You can associate the certificate with a existing gateway. If you haven't added a gateway yet, you can do this later.

Associate the certificate with your gateway

  1. Go to My Products > ZTNA, and click Gateways.
  2. Click your gateway's name.
  3. Under Domain & certificate, select Upload your own certificate, and upload the certificate you just created.
  4. Click Save.

Certificate validity

To make sure your certificate keeps working, do as follows:

  • Monitor the validity of your certificate to check whether it's configured correctly and check the expiry date.
  • When your certificate is due to expire, renew it.

Get a certificate using Let's Encrypt

To get a certificate using Let's Encrypt and the Certbot client, do as follows:

  1. Sign in to the DNS provider that hosts your gateway domain.

  2. Install Certbot on your device.

    Note

    Certbot doesn't validate the web server. Instead, it validates domain ownership with a DNS TXT entry.

  3. Enter the following commands to get a certificate and to change to the domain that ZTNA is deployed on.

    sudo certbot certonly \
--manual \
--preferred-challenges=dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
--domain *.domain.com

    Certbot returns the TXT record you need and waits.

  4. Add the TXT record to the DNS provider and wait three to five minutes.

  5. Return to Certbot and press Enter to validate your domain ownership.

Certbot generates a certificate and key to be uploaded to Sophos Central.

Associate the certificate with your gateway

  1. Go to My Products > ZTNA, and click Gateways.
  2. Click your gateway's name.
  3. Under Domain & certificate, select Upload your own certificate, and upload the certificate you just created.
  4. Click Save.

Certificate validity

To make sure your certificate keeps working, do as follows:

  • Check the validity and expiry date of your certificate to make sure it's configured correctly.
  • When your certificate is due to expire, renew it.