Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a certificate signing request

You can generate certificate signing requests (CSR) on the firewall.

You can generate a certificate signing request (CSR). An external CA can issue a certificate or a subordinate CA based on the CSR.

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Generate certificate signing request (CSR).

Certificate details

  1. Enter a name.
  2. For Key type, select one of the following:

    • RSA
    • Elliptic curve
  3. Select the Key length (for RSA) or Curve name (Elliptic curve).

    Larger RSA keys offer greater security but take longer to encrypt and decrypt data.

  4. Select a Secure hash algorithm.

    Here's an example. You must enter your domain's details.

    Certificate details.

Subject name attributes

You must enter a common name. The firewall automatically fills all other fields with the details from your license. You can change these if you want.

  1. Country name: Enter the country in which the firewall is deployed.
  2. State: Enter the state or region.
  3. Locality name: Enter the city.
  4. Organization name: Enter the certificate owner's name (example: Sophos Group)
  5. Organization unit name: Enter the name of the department to which you'll assign the certificate (example: Marketing).
  6. Common name: Enter the hostname or FQDN (example: marketing.sophos.com).
  7. Enter the contact person's email address.

    Here's an example:

    Subject name attributes.

The distinguished name shows the certificate's configured details and is dynamically updated when you make changes.

Subject Alternative Names (SAN)

You must enter at least one SAN or a certificate ID.

  1. Enter a DNS name, IPv4, or IPv6 address, and click plus button..

    Subject alternative names (SANs) define the DNS names and IP addresses the certificate secures.

    Here's an example. You must enter your domain's details.

    SAN data.

  2. (Optional) If you're generating a certificate to use with earlier versions of SFOS, do as follows:

    1. Click Advanced settings.
    2. For Certificate ID, select from the following options and enter the ID:

      • DNS: Enter a domain name. The name must resolve to the IP address in the DNS records.
      • IP address: A public IP address that you own.
      • Email: Contact person's email address.
      • DER ASN1 DN [X.509]: Use this if you specify a digital certificate to secure an object.
  3. Click Save.

    The CSR is added to the certificates list.

Copy or download CSR

  1. On the certificates list, click Download button. for the CSR.

    Download CSR option.

    A dialog box shows the certificate signing request.

  2. Copy or download the CSR (.csr file).

    Dialog box to download a CSR.

Next steps

  1. Use the copied or downloaded CSR to get a signed certificate or subordinate CA from a root CA. See Add subordinate and root CAs for TLS traffic.
  2. Import it to the firewall. See Import a certificate.

To generate a CSR for a Let's Encrypt™ certificate, do as follows:

  1. Go to Certificates > Certificates and click Add.
  2. For Action, select Request Let's Encrypt certificate.
  3. Enter a name.
  4. In Domains, specify the domains for which you want to use the certificate. You can only enter FQDNs.

    Domain validation is based on the HTTP-01 method, which doesn't support IP addresses and wildcard domains.

  5. In Hosted address, select the public IP address of the WAN interface to which the domains resolve.

    Because a domain validation request is sent to this IP address over port 80, make sure the following conditions are met:

    • If the firewall is behind a router with the public IP address, create a DNAT rule on the router that translates the public IP address over port 80 to the firewall's WAN interface. This ensures the validation request reaches the firewall.
    • To respond to the request, the firewall can't have a DNAT rule for this IP address on port 80.
  6. Click Save.

Certificate details

On the Certificates page, the Type column shows Let's Encrypt CSR for this CSR.

Shows the Let's Encrypt CSR.

It takes a few minutes for the CA to validate the CSR. After it's validated, the Valid from and Valid until columns show the validity dates and the Trusted column shows a green tick mark. You can now click Download Download button. to download the certificate.

Shows the validated Let's Encrypt certificate.

Warning

You can't edit the CSR if the domain is invalid or doesn't exist. In these cases, you must delete the CSR and create a new one.

Let's Encrypt is a trademark of the Internet Security Research Group. All rights reserved.