The Sophos Email Appliance lets you upload a certificate signed by a third party to use for services such as the Admin UI, Web Quarantine, TLS encryption, and SPX portal.
When you generated the CSR from the appliance and sent it to the certificate signing authority, you will get a certificate bundle from them. This article will guide you on how to upload the certificate to the appliance manually. The second option would be to import the certificate in PEM format.
Note: Add a certificate provided by a Certificate Authority to make the certificate available for use on the Email Appliance. The certificate must be in Privacy-Enhanced Mail (PEM) format, and it must match the selected CSR.
Note: When you generate the CSR from the appliance, the private key is generated and stored on the appliance. Once you get the response and upload it via the pending CSR link, the private key is appended automatically (so you only need to upload the CSR response).
The private key is generated when the certificate request is generated. You would get that from the appliance if it was generated there or it would be from whatever system they used to generate the request.