Skip to content

Certificate authorities

You can add, download, update, and regenerate Certificate Authorities (CAs).

CAs are trusted entities that issue digital certificates to verify the ownership of a user, host, or organization. Ownership is verified through a public key, the owner's information, and a private key.


Regenerate button. You can regenerate the built-in signing CA (SecurityAppliance_SSL_CA).

Key icon. Indicates that the CA's private key exists in the firewall. You can use the CA for signing and validation, for example, SSL/TLS inspection and HTTPS decryption.

Regenerate certificate button. You can regenerate the built-in signing CA (SecurityAppliance_SSL_CA). You regenerate CAs when they expire or are compromised.


When you update the default CA (Default), it's automatically regenerated.

Download button. You can download the built-in CAs. To get their private keys, do as follows:

  1. Go to Backup and firmware > Import export.
  2. Click Export selective configuration, select CertificateAuthority, and click Apply selected items.
  3. Click Export, and click Download.

Types of CAs

Sophos Firewall offers some default CAs. You can also upload custom CAs.

Under Type, you can see the following types of CAs:

  • Sophos Firewall CAs: You can use the following CAs for signing and validation:

    • Internal: It's named Default. You can edit the settings and download this CA. This CA signs the locally-signed certificates. When you update its settings, the default CA is automatically regenerated.
    • Built-in: It's named SecurityAppliance_SSL_CA. You can regenerate and download this CA.
  • External CAs:

    • Built-in: You can see the list of globally trusted root CAs available in the firewall.
    • Uploaded: These are custom CAs you've externally generated and uploaded to the firewall. You can add custom CAs for validation or signing and validation.