Table of Contents

Generating and Applying a Certificate for Your Sophos

When using the Sophos on your computer you are likely to receive a warning “This website is unsafe” or “Your connection is not private”. These problems occur due to the certificates not being trusted on your web browser or computer. The certificates are used to protect server-client communication. The Sophos firewalls (XG210 and XG125) come with a Default and a SSL CA certificate. The SSL CA certificate is used ONLY when using the HTTPS Deep Scan Inspection feature. In general, this feature is NOT recommended for use on the ships.

Generation of the Certificate

1) Go to CertificatesCertificates and Click Add, then select Generate Self-signed Certificates

2) Create a name for your certificate

3)Select IP address in the Certificate ID option and enter the IP address value

4) Fill in the values in the Identification Attributes such as Country name, state, locality name, organization name, organization unit name (department), email address

5) In Common Name add the IP address of the firewall on which the webadmin and captive portals will be opened (default example 172.16.16.16)

6) Once successfully generated, go to AdministrationAdmin Settings and set the certificate to the newly generated certificate

7) Now download this generated self-signed certificate and import to the machines browsers. Also download Default from CertificatesCertificate Authorities

Adding Your New (Or NOT new) Certificate to Your Local Machine

Windows 10 computer

1) Take the generated self-signed certificate that was downloaded (step 7 above) and unzip the tar file

2) Double click on the “named cert” (type file is Personal Information Exchange)

3) Click through the installation wizard pop-up

4) When prompted for the certificate store, choose Place all certificates in the following store

5) Select the Trusted Root Certification Authorities store

6) Next, add certificate snap-ins → launch MMC (mmc.exe)

Macintosh computer

1) If you haven't already, download the Default certificate (step 7, Generation of the Certificate)

2) Once downloaded, double-click the Certificate. This launches key-chain. A pop-up window will open; select System and Add

4) Go to SystemCertificates → Double-click on Default

5) Click Trust and then click Always Trust

What if I cannot Generate my own certificate?

A reported issue that we have seen is the inability to “Generate a Self-signed Certificate”, the option is 'grayed' out. This is caused when the Sophos system is migrated from a Cyberoam install and the default is setup incorrectly. To fix this issue, follow these steps:

1)Go to CertificatesCertificate AuthoritiesDefault

2)The Default must have a Common name in this format Sophos_CA_[serial] and an email.

Once saved check back under Certificates to Generate your own self-signed certificate.

If you want more information on how to import certificates to specific web browsers go here: https://community.sophos.com/kb/en-us/123048

Note:This page specifically talks about using the Security_SSL_CA_Certificate, simply change it to Default and the directions are the same.

If you want more information on Generating a self-signed certificate or requesting a certificate from a Certified Authority go here:

https://community.sophos.com/kb/en-us/132678#Use%20a%20signed%20certificate%20by%20a%20trusted%20CA