Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a CA manually to endpoints

Users can add the Certificate Authority (CA) you configure for web or email protection to their endpoints and browsers.

This prevents untrusted certificate errors that occur when you apply a signing CA to SSL/TLS inspection and HTTPS decryption, and email TLS configurations.

You can add the CA to users' endpoints remotely using Active Directory or a Mobile Device Management (MDM) solution, such as Sophos Mobile. Alternatively, you can share the CA with users over email or on the intranet.

These examples show how users can install the CA manually on their endpoints.

Install the CA on mobile devices

You may need to convert the file to .der, .cer, or .crt to be compatible with the mobile device. Users must do as follows to install the signing CA on their mobile devices.

The following steps are for a Pixel Android device:

  1. On the Android device, open the Settings app.
  2. Tap Security & location > Advanced > Encryption & credentials.
  3. Under Credential storage, tap Install from storage or Install from SD card.

    Select storage on Android.

  4. In the upper-left corner, tap Menu Menu button..

  5. Under Open from, tap the location where you saved the certificate.

    Open storage on Android.

  6. Tap the file.

  7. Enter your PIN for the device.
  8. Enter a name for the certificate.
  9. Select VPN and apps or Wi-Fi from the list, and tap OK.

Enter the certificate name.

  1. Go to Download the certificate to your local machine to download your SSL CA certificate.
  2. Go to Settings > General.
  3. Go to About > Certificate Trust Settings.
  4. Turn on trust under Enable full trust for root certificates.

Install the CA in operating systems

Users must do as follows to install the signing CA on their endpoint operating system:

  1. Click the Windows button, enter Run, and enter mmc for Microsoft Management Console.
  2. Click File > Add/Remove Snap-in.
  3. Select Certificates from the list and click Add.
  4. Select Computer Account and click Next.
  5. Click Finish and click OK.
  6. Click Certificates (Local computer) to expand the list of certificate containers.
  7. Right-click Trusted Root Authorities, click All Tasks and click Import.
  8. Import the CA certificate you downloaded.
  1. Go to Download the certificate to your local machine to download your SSL CA certificate.
  2. Double-click the downloaded CA certificate.

    This launches Keychain Access and shows a Certificate Not Trusted warning.

  3. Click Always Trust to import the certificate into Login Keychain.

Install the CA in browsers

Users must do as follows to install the signing CA on their browsers.

  1. Click the menu button and go to Settings > Manage Certificates.
  2. Click Trusted Root Certification Authorities.
  3. Click Import and click Next.
  4. Import the CA certificate you downloaded.
  1. Click the vertical ellipsis button and go to Settings > Privacy & Security.
  2. Under Certificates, click View Certificates.
  3. Make sure you're on the Authorities tab and click Import.
  4. Select the CA certificate you downloaded and click Open.
  5. In the Downloading Certificate window, select Trust this CA to identify websites and click OK.
  1. Click the vertical ellipsis button and go to Settings > Privacy & Security.
  2. Click Security and click Manage certificates.
  3. Click Trusted Root Certification Authorities.
  4. Click Import and click Next.
  5. Import the CA certificate you downloaded.
  1. Go to Download the certificate to your local machine to download your SSL CA certificate.
  2. Double-click the downloaded certificate.

    This launches Keychain Access and shows a Certificate Not Trusted warning.

  3. Click Always Trust to import the certificate into Login Keychain.