You can re-generate the VPNClosed Virtual Private Network Signing CAClosed Certificate Authority that was created during the initial setup of the unit and enable the use of Let’s Encrypt certificates. The VPN Signing CA is the certificate authority with which digital certificates are signed that are used for remote access and site-to-site VPN connections. The old VPN signing CA will be kept as verification CA.

Re-generate Signing CA

You can renew all user certificates using the current signing CA. This becomes relevant once you have installed an alternative VPN Signing CA on the Certificate Authority tab.

Caution –Sophos UTM and all user certificates will be re-generated using the new signing CA. This will break certificate-based site-to-site and remote access VPN connections.

Let’s Encrypt™ Certificates

Let's Encrypt is a certificate authority that provides free X.509 certificates for Transport Layer Security encryption via an automated process designed to eliminate the hitherto complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites. (Source: Wikipedia)

Sophos UTM provides Let’s Encrypt integration to make managing certificates easier for you. You can use Let’s Encrypt certificates anywhere in the UTM, for example with VPN connections, as WebAdmin or User Portal certificate, or with the web application firewall. To be able to use Let’s Encrypt, the domain names used in Let’s Encrypt must be publicly accessible. Let's Encrypt certificates are checked once per day by a Cron job and are automatically renewed if they expire in less than 30 days.

Allow Let’s Encrypt certificates: To use Let’s Encrypt, activate the checkbox and click Apply. By that you agree to the Let’s Encrypt terms of service. The UTM will contact the Let’s Encrypt server and create a Let’s Encrypt account for use with the UTM. You can click the Refresh button to see when the process is finished.

When you turn off the Let’s Encrypt feature, there will be a warning. If you proceed, all data related to Let’s Encrypt will be deleted.

Notifications: You will receive a notification in the following circumstances.

  • In case the renewal of a Let’s Encrypt signed certificate failed.
  • In case the Let’s Encrypt terms of service change at some point. You will then have to go back to the Certificate Management > Advanced page and re-enable the Let’s Encrypt feature. By that you agree to the new terms of service. Until you have done that, no new Let’s Encrypt certificates can be created and existing ones cannot be renewed.

You can find logging information at any time in the Let’s Encrypt log on the Logging & Reporting > View Log Files page of WebAdmin.