Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a CA

You can upload external Certificate Authorities (CAs) to Sophos Firewall.

To generate these CAs externally, you can use the firewall's Certificate Signing Request (CSR) or an external CSR.

Note

If a CA certificate intended for signing, such as for SSL/TLS and HTTPS decryption, has an Extended Key Usage section, it must include the TLS Web Server Authentication flag.

To import a CA, do as follows:

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data.

    Sophos Firewall automatically detects the certificate format. It supports X.509 certificates in .pem, .der, and .cer formats.

  3. The firewall tries to find if a matching CSR exists. Do as follows:

    If the CA matches an existing CSR, Sophos Firewall automatically selects the purpose of the CA as Signing and validation.

    The firewall uses the name of the matching CSR for the CA.

    1. Change the automatically assigned name if you want.
    2. Click Save.

    When you try to upload a CA that doesn't match a CSR generated on Sophos Firewall, additional options appear.

    1. Select the CA's purpose:

      • Validation only
      • Signing and validation: Upload the private key and enter the private key password to encrypt it. The password can only have up to 30 characters.
    2. Enter a name.

    3. Click Save.