Add a CA
You can upload external Certificate Authorities (CAs) to Sophos Firewall.
To generate these CAs externally, you can use the firewall's Certificate Signing Request (CSR) or an external CSR.
Note
If a CA certificate intended for signing, such as for SSL/TLS and HTTPS decryption, has an Extended Key Usage section
, it must include the TLS Web Server Authentication
flag.
To import a CA, do as follows:
- Go to Certificates > Certificate authorities and click Add.
-
Upload the CA certificate or paste the certificate data.
Sophos Firewall automatically detects the certificate format. It supports X.509 certificates in
.pem
,.der
, and.cer
formats. -
The firewall tries to find if a matching CSR exists. Do as follows:
If the CA matches an existing CSR, Sophos Firewall automatically selects the purpose of the CA as Signing and validation.
The firewall uses the name of the matching CSR for the CA.
- Change the automatically assigned name if you want.
- Click Save.
When you try to upload a CA that doesn't match a CSR generated on Sophos Firewall, additional options appear.
-
Select the CA's purpose:
- Validation only
- Signing and validation: Upload the private key and enter the private key password to encrypt it. The password can only have up to 30 characters.
-
Enter a name.
- Click Save.