Certificate Authority

You can add new certificate authorities to the unit. Generally speaking, a certificate authority or Certification Authority (CA) is an entity which issues digital certificates for use by other parties. A CA attests that the public key contained in the certificate belongs to the person, organization, host, or other entity noted in the certificate by signing the certificate signing request with the private key of the CA's own certificate. Such a CA is therefore called a signing CA.

On Sophos UTM on AWS, the signing CA was created automatically using the information you provided during the initial login to Sophos UTM on AWS. Thus, all certificates you create on the Certificates tab are self-signed certificates, meaning that the issuer and the subject are identical. However, you can alternatively import a signing CA by third-party vendors. In addition, to verify the authenticity of hosts or users requesting an IPsec connection, you can also use alternative CA certificates whose private keys are unknown. Those CA certificates are called verification CAs and can be added on this tab as well.

Important Note – You can have multiple verification CAs on your system, but only one signing CA. So if you upload a new signing CA, the previously installed signing CA automatically becomes a verification CA.

To add a CA, proceed as follows:

  1. On the Certificate Authority tab, click New CA.

    The Add CA dialog box opens.

  2. Make the following settings:

    Name: Enter a descriptive name for this CA.

    Type: Select the type of CA you are going to import. You can choose between verification CAs or signing CAs. A verification CA must be available in the PEM format, while a signing CA must be available in the PKCS#12 format.

    CA certificate: Click the Folder icon next to the CA certificate box and select the certificate you want to import. Note that if you are to upload a new signing CA, you must enter the password with which the PKCS#12 container was secured.

    Comment (optional): Add a description or other information.

  3. Click Save.

    The new CA certificate appears on the Certificate Authority list.

To delete a CA click the button Delete of the respective CA.

The signing CA can be downloaded in PKCS#12 format. You will then be prompted to enter a password, which will be used to secure the PKCS#12 container. In addition, verification CAs can be downloaded in PEM format.