Skip to content
Last update: 2022-05-24

Generate a certificate signing request

You can generate a certificate signing request (CSR).

Specify the certificate and identification details.

When you send the CSR to a certificate authority, the CA issues a certificate based on these details.

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Generate certificate signing request (CSR).

    The option to generate the CSR on Sophos Firewall is shown below.

    Certificates: Signing request option

  3. Specify the certificate details.

    Name Description
    Name Enter a name.
    Key type Select from the following options:
    • RSA
    • Elliptic curve
    Key length If you've set the key type to RSA, select the key length. It's the number of bits used to construct the key.

    Larger keys offer greater security, but it takes longer to encrypt and decrypt data.
    Curve name If you've set the key type to Elliptic curve, select the curve name.
    Secure hash Select the algorithm from the list.
  4. Enter a common name in the Subject name attributes section.

    All other fields in this section are prefilled with the details of your license.

    Name Description
    Country name Country in which the device is deployed.
    State The state within the country.
    Locality name Name of the city.
    Organization name Name of the certificate owner. Example: Sophos Group
    Organization unit name Name of the department to which the certificate will be assigned. Example: Marketing
    Common name Common name or FQDN. Example:
    Email address Contact person's email address.

    Distinguished name shows a preview of the certificate's distinguished name and updates dynamically when you make changes to this section.

    Example settings for subject name attributes are shown below. You need to enter details of your own organization.

    Certificate: Subject name attributes

  5. Add subject alternative names in the Subject Alternative Names (SANs) section.

    Enter at least one SAN or a certificate ID.

    Subject alternative names (SANs) define the entities for which your certificate will be valid. Entities can be DNS names or IP addresses. You can add IPv4 and IPv6 addresses.

    Advanced settings: This section holds the Certificate ID setting, which you need to specify only for certificates that you want to use with earlier versions of Sophos Firewall.

    1. Select the type of certificate ID to identify the device and specify the ID.
      • DNS: Enter the domain name. The name must resolve to the IP address in the DNS records.
      • IP address: Use this if you want to use a public IP address that you own.
      • Email: Email address of the contact person.
      • DER ASN1 DN [X.509]: Use this if you want a digital certificate.

    Example SAN data is shown below. You need to enter details of your own domain.

    Certificate: SAN data

  6. Click Save. The CSR is added to the certificates list.

  7. Download the CSR using the download button Download button.

    Certificates: Download CSR option

    A dialog box shows the certificate request.

  8. Copy or download the CSR.

    Depending on the requirements of your CA, you can copy the certificate request to your clipboard or download the CSR as a .csr file.

    Certificates: Dialog box for download of CSR

Next steps

Paste the CSR from your clipboard or send the downloaded .csr file to a CA to get a signed certificate. After you receive the signed certificate from the CA, you must import it to the firewall. See Import a certificate.

Back to top