Install a subordinate certificate authority (CA) for HTTPS inspection

Create and install a subordinate CA so that you can use one certificate across all your Sophos Firewall appliances for SSL/TLS scanning.

Introduction

You can use your own certificate with both the DPI engine and when using Sophos Firewall as a direct web proxy. The configuration steps are as follows:

  • Generate a certificate signing request (CSR).
  • Sign the CSR.
  • Convert the signed CA.
  • Upload the signed CA to Sophos Firewall.
  • Upload the root CA to Sophos Firewall.
  • Configure the HTTPS scanning CA when using the DPI engine.
  • Configure the HTTPS scanning CA when using Sophos Firewall as a direct web proxy.
  • Confirm the new certificate is used for web traffic.

Generate a certificate signing request (CSR)

Specify the certificate and identification details.

When you send the CSR to a certificate authority, the CA issues a certificate based on these details.

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Generate certificate signing request (CSR).

    The option to generate the CSR on Sophos Firewall is shown below.


    Certificates: Signing request option
  3. Specify the certificate details.

    Name

    Description

    Name

    Enter a name.

    Key type

    Select from the following options:

    • RSA
    • Elliptic curve

    Key length

    If you've set the key type to RSA, select the key length. It's the number of bits used to construct the key.

    Larger keys offer greater security, but it takes longer to encrypt and decrypt data.

    Curve name

    If you've set the key type to Elliptic curve, select the curve name.

    Secure hash

    Select the algorithm from the list.
  4. Enter a common name in the Subject name attributes section.

    All other fields in this section are prefilled with the details of your license.

    Name

    Description

    Country name

    Country in which the device is deployed.

    State

    The state within the country.

    Locality name

    Name of the city.

    Organization name

    Name of the certificate owner. Example: Sophos Group

    Organization unit name

    Name of the department to which the certificate will be assigned. Example: Marketing

    Common name

    Common name or FQDN. Example: marketing.sophos.com

    Email address

    Contact person's email address.

    Distinguished name shows a preview of the certificate's distinguished name and updates dynamically when you make changes to this section.

    Example settings for subject name attributes are shown below. You need to enter details of your own organization.


    Certificate: Subject name attributes
  5. Add subject alternative names in the Subject Alternative Names (SANs) section.

    Enter at least one SAN or a certificate ID.

    Subject alternative names (SANs) define the entities for which your certificate will be valid. Entities can be DNS names or IP addresses. You can add IPv4 and IPv6 addresses.

    Advanced settings: This section holds the Certificate ID setting, which you need to specify only for certificates that you want to use with earlier versions of Sophos Firewall.

    1. Select the type of certificate ID to identify the device and specify the ID.
      • DNS: Enter the domain name. The name must resolve to the IP address in the DNS records.
      • IP address: Use this if you want to use a public IP address that you own.
      • Email: Email address of the contact person.
      • DER ASN1 DN [X.509]: Use this if you want a digital certificate.

    Example SAN data is shown below. You need to enter details of your own domain.


    Certificate: SAN data
  6. Click Save.
  7. Download the CSR using the download button Download button.

    Certificates: Download CSR option
    A dialog box shows the certificate request.

Sign the CSR

You need to create a new certificate that is signed by your root CA certificate.

  1. Sign in to the Microsoft certificate server and select Request a certificate.

    The option is highlighted below.


    Request a certificate option on server
  2. Select Advanced certificate request.

    The option is highlighted below.


    Advanced certificate request option on server
  3. Open the CSR file you downloaded from Sophos Firewall, and copy the complete content without any extra lines. Select Subordinate Certification Authority for your template.

    The area to paste the CSR content and the correct menu option are highlighted below.


    CSR code and menu certificate template option on server
  4. Download the certificate in DER encoded format.

    The file format and download option are highlighted below.


    Download and encoding option on server

    The downloaded certificate file will look this:


    Certificate file example
  5. Download the root CA you used to sign the certificate.

    The download option is highlighted below.


    Download certificate option on server

Upload the signed CA to Sophos Firewall

You need to upload the signed CA to Sophos Firewall to use it for HTTPS scanning.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data.
    Sophos Firewall automatically detects the certificate format. It supports X.509 certificates in PEM, DER, or CER format.

    The options you should choose are shown below, however your own file names will be different and should match what was specified when you created the CSR.


    Example of uploading a CA
  3. Click Save.

Upload the root CA to Sophos Firewall

To use the recently uploaded signed CA, you must also add its root CA to Sophos Firewall.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data.

    The options you should choose are shown below, however your own file name will be different and should match the CA you download from the certificate server.


    Certificate file format example
  3. Click Save.

The CSR is automatically removed from the certificates list.

Configure the HTTPS scanning CA when using the DPI engine

You need to configure HTTPS decryption and scanning to use your recently signed CA.

  1. Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.
  2. Under the Re-signing certificate authorities section, select the recently signed CA for Re-sign RSA with.

    The menu options are shown below. The certificate you choose should match the one you uploaded previously.


    Choose the RSA re-signing certificate
  3. Click Apply.

Configure the HTTPS scanning CA when not using the DPI engine for web traffic scanning

  1. Go to Web > General settings.
  2. Under the HTTPS decryption and scanning section, select the recently signed CA for HTTPS scanning certificate authority (CA).

    The menu options are shown below, the certificate you choose should match the one you uploaded previously.


    Configure HTTPS scanning CA for direct proxy
  3. Select Apply.

Confirm the correct certificate is being used for web traffic

  1. Open a web browser and go to an HTTP website, such as google.com.
  2. Click the padlock icon next to the address bar and select Certificate.
  3. Select Certificate Path.

    An example certificate path is shown below.


    Browser certificate chain
    You should see your newly signed CA being used and the root CA used to sign the subordinate CA.