Generate, apply, and install the signing CA

You can generate or import a signing Certificate Authority (CA) and use it for SSL/TLS inspection and HTTPS decryption in Deep Packet Inspection (DPI) and web proxy modes.

After decrypting secure web content, Sophos Firewall encrypts the content again using certificates signed by this CA. To prevent untrusted certificate errors, you must install the signing CA on users' endpoints.

Signing CA to use

You can use one of the following options:

• Import an external CA: See Add a CA.
• Generate a CSR and generate a signing CA using a third-party CA: See Add subordinate and root CAs for TLS traffic.

• Generate subordinate CAs as signing CAs: See Active Directory Certification Services.

  Note

  When you use an external signing CA, make sure you import the subordinate signing CA and its root CA.

• Use the signing CA generated on Sophos Firewall: See Add a CA manually to endpoints.

For more details, see HTTPS decrypt and scan FAQs.

Apply and download the CA

1. Specify the decryption settings for SSL/TLS inspection (DPI mode): See Add a decryption profile.
2. Apply and download the CA for DPI and web proxy modes: See Apply HTTPS decryption.

Install the signing CA on users' endpoints

You can install the CA on the OSs or browsers of users' endpoints.

• Install remotely: You can use one of the following options:

  • Install on Windows endpoints through Active Directory Group Policy: See Deploy certificates using Group Policy.
  • Install on endpoint OSs using Mobile Device Management: See Use Sophos Mobile to install the root CA on mobile devices.

• Users install the CA manually: Email the signing CA to users or make it available on your intranet.

  Users must do as follows:

  1. Download and save the file on their endpoint.
  2. Install the saved file as follows: See Add a CA manually to endpoints.