Certificate authorities
You can add, download, update, and regenerate Certificate Authorities (CAs).
CAs are trusted entities that issue digital certificates to verify the ownership of a user, host, or organization. Ownership is verified through a public key, the owner's information, and a private key.
Actions
You can regenerate the built-in signing CA (SecurityAppliance_SSL_CA).
Indicates that the CA's private key exists in the firewall. You can use the CA for signing and validation, for example, SSL/TLS inspection and HTTPS decryption.
You can regenerate the built-in signing CA (SecurityAppliance_SSL_CA). You regenerate CAs when they expire or are compromised.
Note
When you update the default CA (Default), it's automatically regenerated.
You can download the built-in CAs. To get their private keys, do as follows:
- Go to Backup and firmware > Import export.
- Click Export selective configuration, select CertificateAuthority, and click Apply selected items.
- Click Export, and click Download.
Types of CAs
Sophos Firewall offers some default CAs. You can also upload custom CAs.
Under Type, you can see the following types of CAs:
-
Sophos Firewall CAs: You can use the following CAs for signing and validation:
- Internal: It's named Default. You can edit the settings and download this CA. This CA signs the locally-signed certificates. When you update its settings, the default CA is automatically regenerated.
- Built-in: It's named SecurityAppliance_SSL_CA. You can regenerate and download this CA.
-
External CAs:
- Built-in: You can see the list of globally trusted root CAs available in the firewall.
- Uploaded: These are custom CAs you've externally generated and uploaded to the firewall. You can add custom CAs for validation or signing and validation.