Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Remove untrusted certificate error

The firewall uses the default appliance certificate for services, such as the web admin console and the user portal.

The firewall's default certificate authority (CA) signs the certificate. So, browsers show an untrusted certificate error when the default appliance certificate is used, for example, when you open the web admin console, the user portal, or the Sophos Connect client.

You can ensure that browsers trust the certificate by using the firewall's hostname in the certificate.

Generate a locally-signed certificate

  1. Go to Certificates > Certificates and click Add.
  2. Click Generate locally-signed certificate.
  3. Enter a name.
  4. Enter the Subject name attributes.
  5. For Common name, enter your firewall's hostname (example: DenverFirewall).

    Firewall's hostname as common name.

  6. Under Subject Alternative Names, for DNS names, enter the firewall's hostname (example: DenverFirewall) and click the plus button .

    Firewall's hostname as DNS name.

  7. Click Save.

Edit the Admin and user settings

  1. Go to Administration > Admin and user settings.
  2. For Hostname, enter your firewall's hostname (example: DenverFirewall).
  3. Click Apply.

    Firewall hostname.

  4. Under Admin console and end-user interaction, for Certificate, select the certificate you generated.

  5. Make sure you select Use the firewall's configured hostname.

    It shows the hostname you entered.

    Selecting firewall's hostname.

  6. Click Apply.

Import the CA to browsers

Import the CA used to generate the locally-signed certificate to the browser or your mobile device.

  1. Go to Certificates > Certificate authorities.
  2. Click the download button download button. for the CA named Default.

    The firewall signs all locally-generated certificates using the Default CA.

    Download the Default CA.

  3. Extract the certificates from the .tar file.

  4. Rename the Default.der or Default.pem file to Default.crt.

    Note

    You must change the file extension to meet browser requirements.

  5. Import the file to the browser's Trusted Root Certificate Authorities or the mobile device's certificate store. See Add a CA manually to endpoints.

  6. Refresh the window and open the firewall's web admin console. The untrusted certificate error won't appear.

Note

You can also install trusted root CAs on your endpoint. You can push the default CA to users' endpoints using Active Directory Group Policy Objects (GPO).

More resources