Skip to content

Add subordinate and root CAs for TLS traffic

This example shows how to generate the Certificate Signing Request (CSR) in Sophos Firewall and the subordinate Certificate Authority (CA) in Active Directory Certificate Services (AD CS) in Enterprise CA mode.


You can't use this example if you have AD CS in Standalone CA mode.

Alternatively, you can use a third-party tool, such as OpenSSL, to generate the CSR and CAs. You must upload subordinate and root CAs generated through third-party tools on Certificates > Certificate authorities. See Add a CA.

You can use the subordinate CA as the signing CA for SSL/TLS inspection, HTTPS decryption, and TLS configurations for emails.

Do as follows:

  1. Generate a CSR.
  2. Generate a subordinate CA and download the subordinate and root CAs.
  3. Import the subordinate CA to Sophos Firewall.
  4. Upload the root CA to Sophos Firewall.
  5. Apply the subordinate CA.

Generate a CSR

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Generate certificate signing request (CSR).

    Certificates: Signing request option.

  3. Specify the following Certificate details:

    1. Enter a name.
    2. Key type (example: RSA)
    3. Key length (example: 2048)
    4. Secure hash (example: SHA - 256)

      Here's an example:

      Certificates: Signing request option.

  4. Specify the following Subject name attributes:

    1. Country name (example: United States)
    2. State (example: Georgia)
    3. Locality name (example: Atlanta)
    4. Organization name (example: Example organization)
    5. Organization unit name (example: IT)
    6. Common name (example:
    7. Email address (example:

      Here's an example:

      Certificates: Signing request option.

  5. For Subject Alternative Names, enter DNS names or IP addresses.

    Examples:, fd12:3456:789a:1::,

    Certificate: SAN data.

  6. Click Save.

  7. Download the CSR as follows:

    1. Click the download button for the CSR you created.
    2. In the pop-up window, click Copy to clipboard.

      Here's an example:

      Copy CSR certificate.

Generate a subordinate CA in Active Directory Certificate Services

You must generate a subordinate CA based on the CSR. This example uses AD CS in Enterprise CA mode.

  1. In AD CS, do as follows to generate a subordinate CA.

    1. Click Request a certificate.

      Request a certificate.

    2. Click Advanced certificate request.

      Advanced certificate request.

    3. Paste the CSR certificate you copied.

    4. For Certificate template, select Subordinate Certification Authority.
    5. Click Submit.

      Here's an example:

      CSR certificate and subordinate CA template.

    6. Under Certificate Issued, select an encoding format.

      This example selects the Base 64 encoded format.

    7. Click Download certificate to download the subordinate CA certificate.

      Encoding and download.

  2. Do as follows to download the root CA certificate:

    1. On the welcome page, click Download a CA certificate.

      Download root CA.

    2. Select the root CA that's used to sign the subordinate CA.

    3. Click Download CA certificate.

      Here's an example:

      Download certificate option on server.

    4. Click Save.

Import the subordinate CA to Sophos Firewall

For CAs generated based on a CSR you created on Sophos Firewall, you must import the CA as follows:

  1. Go to Certificates > Certificates and click Add.
  2. Click the import button import button. for the CSR you generated.
  3. Click Choose file and select the subordinate CA you downloaded from AD CS.
  4. Click Certificate authority only.

    The firewall recognizes that it's a CA and makes the CA options available.

  5. Change the certificate authority name if you want.

  6. Click Import certificate.

    Here's an example:

    Import subordinate CA.

  7. To see the subordinate CA on the list, go to Certificates > Certificate authorities.

  8. Use the filter next to Name, enter the search term for the CA's name, and click Apply.

    Here's an example:

    Search for subordinate CA.

    You can see the subordinate CA you imported. The firewall automatically associates the CSR's private key with the subordinate CA.

    Subordinate CA with private key.

Upload the root CA to Sophos Firewall

To trust the subordinate signing CA, you must upload its root CA to Sophos Firewall.

  1. Go to Certificates > Certificate authorities and click Add.
  2. For Certificate, click Browse and upload the root CA you downloaded from AD CS.
  3. Change the name if you want.
  4. Under Use certificate for, retain the following default selection: Validation.

    The root CA only validates the subordinate CA you imported.

    Here's an example:

    Root CA upload.

  5. Click Save.

Apply the CA

You can select the subordinate CA to re-sign SSL/TLS traffic.