Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Generate, apply, and install the signing CA

You can generate or import a signing Certificate Authority (CA) and use it for SSL/TLS inspection and HTTPS decryption in Deep Packet Inspection (DPI) and web proxy modes.

After decrypting secure web content, Sophos Firewall encrypts the content again using certificates signed by this CA. To prevent untrusted certificate errors, you must install the signing CA on users' endpoints.

Signing CA to use

You can use one of the following options:

For more details, see HTTPS decrypt and scan FAQs.

Apply and download the CA

  1. Specify the decryption settings for SSL/TLS inspection (DPI mode): See Add a decryption profile.
  2. Apply and download the CA for DPI and web proxy modes: See Apply HTTPS decryption.

Install the signing CA on users' endpoints

You can install the CA on the OSs or browsers of users' endpoints.