Get a certificate
The ZTNA gateway needs a wildcard certificate. You can get this certificate by using one of the following:
- Let's Encrypt.
You need to know the domain that you'll use for your gateway.
Get a certificate using Let's Encrypt
To get a certificate using Let's Encrypt and the Certbot client, do as follows:
- Sign in to the DNS Provider that hosts your gateway domain.
Install Certbot on your device.
Certbot doesn’t validate the web server. Instead, it validates domain ownership with a DNS TXT entry.
Enter the following commands to get a certificate and to change to the domain that ZTNA is deployed on.
sudo certbot certonly \ --manual \ --preferred-challenges=dns \ --server https://acme-v02.api.letsencrypt.org/directory \ --agree-tos \ --domain *.domain.com
Certbot returns the TXT record you need and waits.
Add the TXT record to the DNS provider and wait three to five minutes.
- Return to Certbot and press Enter to validate your domain ownership.
Certbot generates a certificate and key to be uploaded to Sophos Central. For more information, see https://letsencrypt.org/getting-started/
Get a certificate using SSL
To get a certificate by using Open SSL with your chosen certificate authority (CA), do as follows:
- Go to a device with a command-line version of OpenSSL or install it.
Create a Certificate Signing Request (CSR) template text file.
You'll use this template to generate the CSR and private key.
[req] default_bits=4096 prompt=no default_md=sha512 req_extensions=req_ext distinguished_name=dn [dn] C=UK ST=Oxfordshire L=Oxford O=ExampleCo OU=Example emailAddressfirstname.lastname@example.org CN=ztna.example.com [req_ext] subjectAltName=@alt_names [alt_names] DNS.1=*.example.com
Run the command below. In this example,
ztna.keyis the name of the key and
ztna.csris the name of the CSR.
mytemplate.txtis the name of the CSR template.
openssl req -newkey rsa:4096 -sha512 -nodes -keyout ztna.key -new -out ztna.csr -config mytemplate.txt
ztna.csrsigned by your chosen CA and download a Base64 encoded version of the signed certificate from them.
The steps to do this depend on your CA. Look for their instructions online.
Put your new
ztna.keyand the signed certificate in a location you can access when using Sophos Central to set up your gateway.
To make sure your certificate keeps working, do as follows:
- Monitor the validity of your certificate to check whether it's configured correctly and check the expiry date.
- When your certificate is due to expire, renew it.