Skip to content

Add a CA manually to Android devices

Users can add the certificate authority (CA) Sophos Firewall uses for HTTPS scanning to their Android devices.


When Sophos Firewall scans HTTPS traffic, Android devices show a warning message or block traffic if the CA used in HTTPS scanning isn't known to them.

Sophos Firewall ships with a CA certificate, which it uses for the DPI engine (SSL/TLS inspection) and web proxy-based HTTPS scanning.

This example shows how users can install the CA in their Android devices manually to allow HTTPS scanning.

The configuration steps are as follows:

  • Download the CA and send it to users.
  • Specify the CA for SSL/TLS inspection and decryption when using the DPI engine.
  • Specify the CA for HTTPS decryption and scanning when using Sophos Firewall as a web proxy.
  • Users must add the CA to their Android devices.

Apply root CA for HTTPS decryption and download CA

Use the CA shipped with Sophos Firewall for HTTPS decryption.

You must select the CA for SSL/TLS inspection, which uses the DPI engine. You must select the CA for HTTPS decryption, which uses web proxy filtering. You must download the CA.

  1. Go to Certificates > Certificate authorities and click Download Download button next to SecurityAppliance_SSL_CA.

    Alternatively, you can specify the settings of the Default CA, which is the locally-signed CA shipped with Sophos Firewall, and download it. You can also import an external CA.

    Here's an example:

    Download Security Appliance CA

  2. If you want users to add the CA manually, email the CA certificate to them.

    Alternatively, upload the CA to a server from which users can download the certificate to their mobile devices.

  3. To configure the CA for SSL/TLS inspection, which uses the DPI engine, do as follows:

    1. Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.
    2. Under Re-signing certificate authorities, select SecurityAppliance_SSL_CA (RSA) for Re-sign RSA with.

      Here's an example:

      Apply CA to SSL/TLS inspection settings

    3. Click Apply.

    4. To configure the CA for HTTPS decryption, which uses web proxy, go to Web > General settings. Under HTTPS decryption and scanning, select SecurityAppliance_SSL_CA for HTTPS scanning certificate authority (CA).

    Here's an example:

    Apply CA to HTTPS decryption with web proxy filtering

Add the CA to an Android device

To be able to install certificates, you must set a PIN, pattern, or password for your mobile device.

The following steps are for a Pixel Android device. For details of other Android devices, see

  1. On the Android device, open the Settings app.
  2. Tap Security & location > Advanced > Encryption & credentials.
  3. Under Credential storage, tap Install from storage or Install from SD card.

    Select storage on Android

  4. In the upper-left corner, tap Menu Menu button.

  5. Under Open from, tap the location where you saved the certificate.

    Open storage on Android

  6. Tap the file.

  7. Enter your PIN for the device.
  8. Enter a name for the certificate.
  9. Select VPN and apps or Wi-Fi from the list, and tap OK.

    Enter the certificate name

Back to top