Add a CA
You can upload external Certificate Authorities (CAs) to Sophos Firewall.
To generate these CAs externally, you can use the firewall's Certificate Signing Request (CSR) or an external CSR.
Note
If a CA certificate intended for signing, such as for SSL/TLS and HTTPS decryption, has an Extended Key Usage section, it must include the TLS Web Server Authentication flag.
To import a CA, do as follows:
- Go to Certificates > Certificate authorities and click Add.
-
Upload the CA certificate or paste the certificate data.
Sophos Firewall automatically detects the certificate format. It supports X.509 certificates in
.pem,.der, and.cerformats. -
The firewall tries to find if a matching CSR exists. Do as follows:
If the CA matches an existing CSR, Sophos Firewall automatically selects the purpose of the CA as Signing and validation.
The firewall uses the name of the matching CSR for the CA.
- Change the automatically assigned name if you want.
- Click Save.
When you try to upload a CA that doesn't match a CSR generated on Sophos Firewall, additional options appear.
-
Select the CA's purpose:
- Validation only
- Signing and validation: Upload the private key and enter the private key password to encrypt it. The password can only have up to 30 characters.
Warning
Don't change CAs used for re-signing to Validation only. Re-signing CAs are required to re-encrypt SSL/TLS traffic after its decryption.
Make sure that you only use a CA set for Signing and validation in the following configurations:
- Rules and policies > SSL/TLS inspection rules > SSL/TLS inspection settings
- Profiles > Decryption profiles
- Web > General settings under HTTPS decryption and scanning
-
Enter a name.
- Click Save.