Skip to content

Get a certificate

The ZTNA gateway needs a wildcard certificate. You can get this certificate by using one of the following:

  • Let's Encrypt.
  • OpenSSL.

Note

You need to know the domain that you'll use for your gateway.

Get a certificate using Let's Encrypt

To get a certificate using Let's Encrypt and the Certbot client, do as follows:

  1. Sign in to the DNS Provider that hosts your gateway domain.

  2. Install Certbot on your device.

    Note

    Certbot doesn’t validate the web server. Instead, it validates domain ownership with a DNS TXT entry.

  3. Enter the following commands to get a certificate and to change to the domain that ZTNA is deployed on.

    sudo certbot certonly \
--manual \
--preferred-challenges=dns \
--server https://acme-v02.api.letsencrypt.org/directory \
--agree-tos \
--domain *.domain.com

    Certbot returns the TXT record you need and waits.

  4. Add the TXT record to the DNS provider and wait three to five minutes.

  5. Return to Certbot and press Enter to validate your domain ownership.

Certbot generates a certificate and key to be uploaded to Sophos Central. For more information, see https://letsencrypt.org/getting-started/

Get a certificate using SSL

To get a certificate by using Open SSL with your chosen certificate authority (CA), do as follows:

  1. Go to a device with a command-line version of OpenSSL or install it.

  2. Create a Certificate Signing Request (CSR) template text file.

    You'll use this template to generate the CSR and private key.

    Example 
    [req]
default_bits=4096
prompt=no
default_md=sha512
req_extensions=req_ext
distinguished_name=dn

[dn]
C=UK
ST=Oxfordshire
L=Oxford
O=ExampleCo
OU=Example
emailAddress=admin@example.com
CN=ztna.example.com

[req_ext]
subjectAltName=@alt_names

[alt_names]
DNS.1=*.example.com

  3. Run the command below. In this example, ztna.key is the name of the key and ztna.csr is the name of the CSR. mytemplate.txt is the name of the CSR template.

    Example 
    openssl req -newkey rsa:4096 -sha512 -nodes -keyout ztna.key -new -out ztna.csr
-config mytemplate.txt

  4. Have your ztna.csr signed by your chosen CA and download a Base64 encoded version of the signed certificate from them.

    The steps to do this depend on your CA. Look for their instructions online.

  5. Put your new ztna.key and the signed certificate in a location you can access when using Sophos Central to set up your gateway.

Certificate validity

To make sure your certificate keeps working, do as follows:

  • Monitor the validity of your certificate to check whether it's configured correctly and check the expiry date.
  • When your certificate is due to expire, renew it.