Skip to content


You can upload an external certificate, generate a locally-signed certificate, and generate a Certificate Signing Request (CSR).

Certificate details

  • Hover over a certificate's name to see its subject, issuer, and purpose.
  • Checkmark indicator. A checkmark in the Trusted column for the certificate indicates that its associated CA is installed on Sophos Firewall.


  • Regenerate button. You can regenerate the built-in certificate (ApplianceCertificate).
  • Revoke button. You can revoke locally-signed certificates. The firewall automatically adds the details to the Default certificate revocation list (CRL).
  • Download button. You can copy the certificate or download it as a .crt file.

    Certificates: Download dialog box.

Generating certificates

  • Built-in certificate: Sophos Firewall provides a built-in certificate (ApplianceCertificate) that's selected by default for services, such as the web admin console, user portal, and captive portal.
  • Locally-signed certificate: You can generate these certificates on the firewall. These are signed by the firewall's internal CA (Default). To see the internal CA, go to Certificates > Certificate authorities.
  • External certificate: You can import an external certificate. You can generate it using one of the following methods:

    • Generate a CSR on the firewall and use it to generate a certificate signed externally, such as Active Directory Certificate Services.
    • Generate the CSR and certificate externally.

    Make sure you upload both the certificate and the signing CA to the firewall. If the signing CA is a subordinate CA, make sure you also upload its root CA.