Sophos Email Appliance: Correct format to upload certificate if CSR is generated from the appliance

Special thanks to H_Patel for authoring this article!


The Sophos Email Appliance lets you upload a certificate signed by a third party to use for services such as the Admin UI, Web Quarantine, TLS encryption, and SPX portal.


When you generated the CSR from the appliance and sent it to the certificate signing authority, you will get a certificate bundle from them. This article will guide you on how to upload the certificate to the appliance manually. The second option would be to import the certificate in PEM format.

Note: Add a certificate provided by a Certificate Authority to make the certificate available for use on the Email Appliance. The certificate must be in Privacy-Enhanced Mail (PEM) format, and it must match the selected CSR.

What to do

  1. Navigate to Configuration > System > Certificates > Certificates.
  2. Find Pending CSR -upload certificate.
  3. Click on the upload certificate, it will open new prompt. In this prompt, copy the certificate and paste it in the format outlined below.

    <domain_name crt>
    -----END CERTIFICATE-----
    (Intermediate CA crt)
    -----END CERTIFICATE-----
    (Root CA crt)
    -----END CERTIFICATE-----

Note: When you generate the CSR from the appliance, the private key is generated and stored on the appliance. Once you get the response and upload it via the pending CSR link, the private key is appended automatically (so you only need to upload the CSR response).

The private key is generated when the certificate request is generated. You would get that from the appliance if it was generated there or it would be from whatever system they used to generate the request.

Related information

[edited by: H_Patel at 3:47 PM (GMT -7) on 15 Jun 2021]