Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a CA

You can upload external Certificate Authorities (CAs) to Sophos Firewall.

To generate these CAs externally, you can use the firewall's Certificate Signing Request (CSR) or an external CSR.

To import a CA, do as follows:

  1. Go to Certificates > Certificate authorities and click Add.
  2. Upload the CA certificate or paste the certificate data.

    Sophos Firewall automatically detects the certificate format. It supports X.509 certificates in .pem, .der, and .cer formats.

  3. The firewall tries to find if a matching CSR exists. Do as follows:

    If the CA matches an existing CSR, Sophos Firewall automatically selects the purpose of the CA as Signing and validation.

    The firewall uses the name of the matching CSR for the CA.

    1. Change the automatically assigned name if you want.
    2. Click Save.

    When you try to upload a CA that doesn't match a CSR generated on Sophos Firewall, additional options appear.

    1. Select the CA's purpose:

      • Validation only
      • Signing and validation: Upload the private key, and enter the private key password.
    2. Enter a name.

    3. Click Save.