Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=certificates-add-external-root-intermediate-CAs

Add externally generated certificate, intermediate and root CAs

You can upload an externally generated intermediate CA with its private key and its root CA.

Note

We recommend using a CSR generated in the firewall to generate the certificates and intermediate CAs.

The firewall automatically matches the CSR's private key with the CA, ensuring private key security. See Add subordinate and root CAs for TLS traffic.

Upload the certificate

  1. Go to Certificates > Certificates and click Add.
  2. Enter a name.
  3. Select the Certificate file format, for example, PEM (.pem).
  4. Click Browse and upload the Certificate.
  5. Click Browse and upload the Private key.
  6. Enter the passphrase or preshared key.
  7. Click Save.

Upload certificate.

Upload the intermediate CA

  1. Go to Certificates > Certificate authorities and click Add.

  2. Upload the CA certificate or paste the certificate data.

    The firewall automatically detects the certificate format. It supports X.509 certificates in .pem, .der, and .cer formats.

  3. (Optional) Change the name.

  4. In this example, set the CA's purpose to Signing and validation.
  5. Upload its private key.
  6. Enter the private key's passphrase.
  7. Click Save.

Upload Subordinate CA.

Upload the root CA

You must upload the root CA to validate the intermediate CA.

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data.

  3. Set Use certificate for to Validation only.

    It validates the intermediate CA.

  4. Click Save.

Upload root CA.

Check the certificate's trust

  1. Go to Certificates > Certificates.
  2. Under Trusted, see if the green check icon appears for the certificate you uploaded.

Trusted certificate.

(Optional) Check the intermediate CA's private key

  1. Go to Certificates > Certificate authorities.
  2. Click the filter button next to Type.

  3. In the pop-up window, select Uploaded and click Apply.

    Apply filter for uploaded CAs.

  4. See if the private key icon appears next to the subordinate CA.

    It confirms that you've uploaded the signing CA's private key to the firewall.

    Private key of CA.

More resources