Skip to content
Last update: 2022-05-24

Generate a locally-signed certificate

Sophos Firewall lets you generate locally-signed certificates.

To generate a locally-signed certificate, do as follows:

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Generate locally-signed certificate.

    Select to generate a locally-signed certificate

  3. Specify the certificate details.

    Name Description
    Name Enter a name.
    Valid from

    Valid until
    Use the calendar buttons to specify the certificate's validity period.

    Default: One year
    Key type Select from the following options:
    • RSA
    • Elliptic curve
    Key length If you've set the key type to RSA, select the key length. It's the number of bits used to construct the key.

    Larger keys offer greater security, but it takes longer to encrypt and decrypt data.
    Curve name If you've set the key type to Elliptic curve, select the curve name.
    Secure hash Select the algorithm from the list.

    Example certificate detail data is shown below. You need to enter details of your own domain.

    Certificate: Detail data

  4. Enter a common name in the Subject name attributes section.

    All other fields in this section are prefilled with the details of your license.

    Name Description
    Country name Country in which the device is deployed.
    State The state within the country.
    Locality name Name of the city.
    Organization name Name of the certificate owner. Example: Sophos Group
    Organization unit name Name of the department to which the certificate will be assigned. Example: Marketing
    Common name Common name or FQDN. Example:
    Email address Contact person's email address.

    Distinguished name shows a preview of the certificate's distinguished name and updates dynamically when you make changes to this section.

    Example settings for subject name attributes are shown below. You need to enter details of your own organization.

    Certificate: Subject name attributes

  5. Add subject alternative names in the Subject Alternative Names (SANs) section.

    Enter at least one SAN or a certificate ID.

    Subject alternative names (SANs) define the entities for which your certificate will be valid. Entities can be DNS names or IP addresses. You can add IPv4 and IPv6 addresses.

    Advanced settings: This section holds the Certificate ID setting, which you need to specify only for certificates that you want to use with earlier versions of Sophos Firewall.

    1. Select the type of certificate ID to identify the device and specify the ID.
      • DNS: Enter the domain name. The name must resolve to the IP address in the DNS records.
      • IP address: Use this if you want to use a public IP address that you own.
      • Email: Email address of the contact person.
      • DER ASN1 DN [X.509]: Use this if you want a digital certificate.

    Example SAN data is shown below. You need to enter details of your own domain.

    Certificate: SAN data

  6. Select Save to generate the locally-signed certificate.

Back to top