Skip to content

Install a subordinate Certificate Authority (CA) and its root CA

You can add an externally generated subordinate Certificate Authority (CA) and its root CA to Sophos Firewall.

You can then use it as the signing CA to SSL/TLS inspection and HTTPS decryption, and email TLS configurations.

Do as follows:

  • Generate a Certificate Signing Request (CSR).
  • Sign the CSR.
  • Convert the signed CA.
  • Upload the signed CA to Sophos Firewall.
  • Upload the root CA to Sophos Firewall.
  • Apply the CA.
  • Confirm the new certificate is used for web traffic.

Generate a CSR

Specify the certificate and identification details.

When you send the CSR to a certificate authority, the CA issues a certificate based on these details.

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Generate certificate signing request (CSR).

    The option to generate the CSR on Sophos Firewall is shown below.

    Certificates: Signing request option

  3. Specify the certificate details.

    Name Description
    Name Enter a name.
    Key type Select from the following options:
    • RSA
    • Elliptic curve
    Key length If you've set the key type to RSA, select the key length. It's the number of bits used to construct the key.

    Larger keys offer greater security, but it takes longer to encrypt and decrypt data.

    Curve name If you've set the key type to Elliptic curve, select the curve name.
    Secure hash Select the algorithm from the list.
  4. Enter a common name in the Subject name attributes section.

    All other fields in this section are prefilled with the details of your license.

    Name Description
    Country name Country in which the device is deployed.
    State The state within the country.
    Locality name Name of the city.
    Organization name Name of the certificate owner.

    Example: Sophos Group

    Organization unit name Name of the department to which the certificate will be assigned.

    Example: Marketing

    Common name Common name or FQDN.

    Example: marketing.sophos.com

    Email address Contact person's email address.

    Distinguished name shows a preview of the certificate's distinguished name and updates dynamically when you make changes to this section.

    Example settings for subject name attributes are shown below. You need to enter details of your own organization.

    Certificate: Subject name attributes

  5. Add subject alternative names in the Subject Alternative Names (SANs) section.

    Enter at least one SAN or a certificate ID.

    Subject alternative names (SANs) define the entities for which your certificate will be valid. Entities can be DNS names or IP addresses. You can add IPv4 and IPv6 addresses.

    Advanced settings: This section holds the Certificate ID setting, which you need to specify only for certificates that you want to use with earlier versions of Sophos Firewall.

    1. Select the type of certificate ID to identify the device and specify the ID.
      • DNS: Enter the domain name. The name must resolve to the IP address in the DNS records.
      • IP address: Use this if you want to use a public IP address that you own.
      • Email: Email address of the contact person.
      • DER ASN1 DN [X.509]: Use this if you want a digital certificate. Example SAN data is shown below. You need to enter details of your own domain.

    Certificate: SAN data

  6. Click Save.

  7. Download the CSR using the download button Download button.

    Certificates: Download CSR option

    A dialog box shows the certificate request.

Sign the CSR

You need to create a new certificate that is signed by your root CA certificate.

  1. Sign in to the Microsoft certificate server and select Request a certificate.

    The option is highlighted below.

    Request a certificate option on server

  2. Select Advanced certificate request.

    The option is highlighted below.

    Advanced certificate request option on server

  3. Open the CSR file you downloaded from Sophos Firewall, and copy the complete content without any extra lines. Select Subordinate Certification Authority for your template.

    The area to paste the CSR content and the menu option are as follows:

    CSR code and menu certificate template option on server

  4. Download the certificate in DER encoded format.

    The file format and download option are as follows:

    Download and encoding option on server

    The downloaded certificate file looks like this:

    Certificate file example

  5. Download the root CA you used to sign the subordinate CA.

    The download option is as follows:

    Download certificate option on server

Upload the signed CA to Sophos Firewall

You must upload the signed CA to Sophos Firewall. Later, you'll select this as the signing CA for the services you want.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data. Sophos Firewall automatically detects the certificate format. It supports X.509 certificates in PEM, DER, or CER format.

    The options you should choose are shown below, however your own file names will be different and should match what was specified when you created the CSR.

    Example of uploading a CA

  3. Click Save.

Upload the root CA to Sophos Firewall

To use the recently uploaded signed CA, you must also add its root CA to Sophos Firewall.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data.

    The options you should choose are shown below, however your own file name will be different and should match the CA you download from the certificate server.

    Certificate file format example

  3. Click Save.

The CSR is automatically removed from the certificates list.

Apply the CA

You can apply the CA to scan TLS traffic.

Make sure the correct certificate is being used for web traffic

This example shows how to check if the certificate is in use for HTTPS decryption.

  1. Open a web browser and go to an HTTP website, such as google.com.
  2. Click the padlock icon next to the address bar and select Certificate.
  3. Select Certificate Path.

    An example certificate path is shown below.

    Browser certificate chain

    You should see your newly signed CA being used and the root CA used to sign the subordinate CA.