Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CertificateManage

Certificates

You can upload an external certificate, generate a locally-signed certificate, and generate a Certificate Signing Request (CSR).

Certificate details

  • Hover over a certificate's name to see its subject, issuer, and purpose.
  • Checkmark indicator. A checkmark in the Trusted column for the certificate indicates that its associated CA is installed on Sophos Firewall.

Actions

  • Regenerate button. You can regenerate the built-in certificate (ApplianceCertificate).
  • Revoke button. You can revoke locally-signed certificates. The firewall automatically adds the details to the Default certificate revocation list (CRL).

  • Download button. You can copy the certificate or download it as a .crt file.

    Certificates: Download dialog box.

Generating certificates

  • Built-in certificate: Sophos Firewall provides a built-in certificate (ApplianceCertificate) that's selected by default for services, such as the web admin console, user portal, and captive portal.
  • Locally-signed certificate: You can generate these certificates on the firewall. These are signed by the firewall's internal CA (Default). To see the internal CA, go to Certificates > Certificate authorities.

  • External certificate: You can import an external certificate. You can generate it using one of the following methods:

    • Generate a CSR on the firewall and use it to generate a certificate signed externally, such as Active Directory Certificate Services.
    • Generate the CSR and certificate externally.

    Make sure you upload both the certificate and the signing CA to the firewall. If the signing CA is a subordinate CA, make sure you also upload its root CA.