Which email addresses does XG include for SSL/TLS certificate values "issuer" and "subject" ? can the License email also be used? Locally-signed certificate: You can generate these certificates on the firewall. Your browser doesnt support copying the link to the clipboard. Install the certificate on your computers or browsers by following the steps in Sophos Firewall: Add a CA manually to endpoints. Generate the CSR and certificate externally. What To Do Download the SecurityAppliance_SSL_CA certificate authority from the Sophos Firewall and upload it to the client system browser under trusted root certification authorities. Please follow this KB Article for more info:Sophos XG Firewall: How to use your own certificate for WebAdmin and Captive Portal. The appliance certificate does not use the license email address. Could it be that you have a WAF rule that uses this SSL Cert? Go to Web > General settings and verify the HTTPS scanning CA that is used. When you generate a self-signed certificate, the registration/license email address will be populated automatically. Can you check, they expect you to do a CSR. You can upload an external certificate, generate a locally-signed certificate, and generate a Certificate Signing Request (CSR). Sophos Firewall is shipped with a default CA certificate that provides secure access (HTTPS) for the web admin console and when the web proxy shows a block or warning page. When I used the .key file, it said unrecognised format. Download your certificate. Built-in certificate: Sophos Firewall provides a built-in certificate (, Locally-signed certificate: You can generate these certificates on the firewall. This should be much easier. KB-000035735 Mar 24, 2023 0 people found this article helpful. So, how should i use this .pem file to get it to upload to XG and be selectable to use? They provide you a PEM and no Key. Note: The content of this article is available on Sophos Firewall: Set primary authentication method. Its name is local_certificate_authority.tar.gz Extract the file and import Default.der to MMC. External certificate: You can import an external certificate. I tried replacing existing one with new one, but it said a rule/policy was already using it. Here's what you will need: Your SSL Certificate in .pem or .der format: It resides in the ZIP folder you received from your CA Your private key: You've generated it along with the CSR code on the Sophos XG Firewall server Can you use CSR with GoDaddy? New Sophos Support Phone Numbers in Effect July 1st, 2023. __________________________________________________________________________________________________________________. So I then added the certificate as new and it appears in the list with the one from 2 years ago.However, when I go to the SMTP TLS section and click on drop down list to replace the current one with the new one, it does not show up in the list. Or did you do a CSR? When it was done first 2 years ago, I selected the .pem file and the .key file entered the password and the SSL upladed to the XG. default Self Signed Certificate Values flomb over 3 years ago After the initial setup I end up with a selfsigned certificate. can the License email also be used? Generate a CSR on the firewall and use it to generate a certificate signed externally, such as Active Directory Certificate Services. Close and open the browser once the certificate has been trusted as a root certificate. You can copy the certificate or download it as a .crt file. New Sophos Support Phone Numbers in Effect July 1st, 2023. There isThe Original one, Default, the XG cert and one other. Please copy it manually. Help us improve this page by. Email, General, SMTP TLS Configuration, TLS Certificate drodown, That is correct, there are actually 2 files a .pem file and a .crt file named the same. Now that there is a new one (old one expires in 2 weeks), I tried to load the new cert to existing, but it said a . 1997 - 2023 Sophos Ltd. All rights reserved. Reset Web admin certificate May 12, 2023 Use to reset the web admin certificate back to default. That is odd, i mean. These are signed by the firewall's internal CA (. How is this done for xg? If you are talking about the SecurityAppliance_SSL_CA certificate, you could download the certificate, change the extension to .crt and open it to view the "Issuer" and "Subject" information. Of course, that is just a duplicate of the one that will expire in 13 days.So, 2 years after the first cert was provided by goDaddy a new one is available to use and goDaddy provided just the .pem file. and if so,in which case does XG use it instead of the default notification email address.I try to understand the process of "populating automatically". Generating certificates Built-in certificate: Sophos Firewall provides a built-in certificate ( ApplianceCertificate) that's selected by default for services, such as the web admin console, user portal, and captive portal. How is this done for xg? If the signing CA is a subordinate CA, make sure you also upload its root CA. What section specifically? Then within the configurartion of MTA Email TLS section I was able the select the named SSL certNow that there is a new one (old one expires in 2 weeks), I tried toload the new cert to existing, but it said a rule was using it (Email TLS section). I know utm used the default notification email. After the initial setup I end up with a selfsigned certificate.Which email addresses does XG include for SSL/TLS certificate values "issuer" and "subject" ? Yet using the same .key file with the original .pem giving it a new name, it uploaded alright. It needs to have the private key. Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products . Thank you for your feedback. Sophos Firewall: Set the primary authentication method for VPN users. You should do a CSR. https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=certificates-manage. Always use the following permalink when referencing this page. I would expect a CSR. So, 2 years ago a goDaddy SSL cert was added to XG and been used since that date.It is now renewed with goDaddy and downloaded. The .key files was not needed as i have read that the .key will already be uploaded to the XGHope this helps, I tried to point to new cert, but it does not appear in the drop down list within MTA Email, TLS section. SMTP, POP/IMAP? I selected the .pem and entered the password and it uploaded successfully. But not the one I have addedDid I miss a step to get the new added one appearing in the lst? When it was done first 2 years ago, I selected the .pem file and the .key file entered the password and the SSL upladed to the XG. I know I can generate new self signed certs.I am only interested in the one which is automatically created at start.Does it use License email addresses? How did you replace / upload the new one? I know utm used the default notification email. Why should the Key be present? Hover over a certificate's name to see its subject, issuer, and purpose. Then within the configurartion of MTA Email TLS section I was able the select the named SSL cert. Sophos XG Firewall accepts SSL certificates signed by multiple CAs in .pem or .der format. 1997 - 2023 Sophos Ltd. All rights reserved. So, I then uploaded the new one with a new name. You can generate it using one of the following methods: Make sure you upload both the certificate and the signing CA to the firewall. This means, the assume, you have the old Key? Home. Sophos Firewall requires membership for participation - click to join, Sophos XG Firewall: How to use your own certificate for WebAdmin and Captive Portal. docs.sophos.com//index.html, Asus H410i-plus - Pentium 6605 Gold - 250, Renew SSL certificate for email on XG Firewall, [If any of my postsare helpful to you please use the'Verify Answer'link], Sophos Firewall requires membership for participation - click to join. It will remain unchanged in future help versions. Likely you uploaded simply a PEM without Private Key. Download your default certificate.