Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=certificates-lets-encrypt

Let's Encrypt™ certificate authority (CA)

You can use the Let's Encrypt™ CA to create trusted certificates for public domains. The Let's Encrypt CA uses an automated process to create, sign, validate, and renew the certificates. It issues X.509 certificates.

Create Let's Encrypt certificates

To create Let's Encrypt certificates, you must register with the Let's Encrypt CA. You can then generate certificate signing requests (CSRs) to request Let's Encrypt certificates. After the Let's Encrypt CA validates the CSR, it becomes a valid, trusted certificate and is available for use with SFOS features.

The Let's Encrypt CA must communicate with the firewall to validate the CSR. For this communication, the firewall temporarily creates a WAF rule. After the CA validates the CSR, the firewall deletes the rule. So, for the time the CSR is being validated, you may see a WAF rule on the Rules and policies page.

Restrictions

  • You can't use Let's Encrypt certificates for Remote access VPN, Site-to-site VPN, and the Chromebook SSO authentication service.
  • The firewall supports Let's Encrypt certificates only over IPv4.
  • During the Let's Encrypt CA validation period for any CSR, the web applications protected by WAF rules will be unavailable through the firewall.

Register with the Let's Encrypt CA

To register, do as follows:

  1. Go to Certificates > Let's Encrypt.
  2. Read the Let's Encrypt subscriber agreement and other terms and conditions. See Policy and Legal Repository.

  3. Click Register account.

    When you click Register account, you're acknowledging and agreeing to the Let's Encrypt subscriber agreement.

    If the terms of the subscriber agreement change, you must click Register account again to continue to use the Let's Encrypt CA. If you don't register again, your existing certificates aren't renewed and you can't create new ones.

    If the agreement changes, the firewall notifies you in the following ways:

    • Sends an email notification to the administrator.
    • Shows an alert message in Control center.

To deregister, click Deregister account.

Add a Let's Encrypt certificate

To add a Let's Encrypt certificate, see Request a Let's Encrypt certificate.

Automatic certificate renewal

Let's Encrypt certificates are valid for 90 days. The firewall sends a request to the Let's Encrypt CA to renew certificates expiring in less than 30 days. The Let's Encrypt CA then automatically renews these certificates.

Your existing certificates aren't renewed if you deregister with the Let's Encrypt CA.

Warning

Let's Encrypt certificates created with a dynamic IP address during the Early Access Program (EAP) might not automatically renew in the Generally Available (GA) build. Delete such certificates created during EAP and create them again.

Let's Encrypt is a trademark of the Internet Security Research Group. All rights reserved.