This article describes how to import a Certificate Authority for use in the Sophos UTM Web Proxy to perform HTTPS decrypt and scan. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
Sophos UTM's HTTPS decrypt and scan option operates using a man-in-the-middle interception of HTTPS traffic. An HTTPS session is established between the server and the UTM, and then between the Sophos UTM and the client. The session between the client and the UTM is signed using the Certificate Authority that is the UTM as a Signing CA. There is a unique one that is created by default on every UTM; it is not trusted by client browsers.. That means it must be deployed in all client browsers to avoid certificate warnings.
Most customers use the Certificate Authority that comes with the UTM. Here are some reasons they may wish to install a new one:
From WebAdmin administrators may download a copy of the Certificate Authority so that they can deploy it to all clients using Active Directory. Please note that Windows, Internet Explorer and Chrome all use the same shared configuration. FireFox maintains its own separate Certificate Authority store. Sophos Mobile Control and some other ways of managing corporate mobile devices allow admins to push the CA to all managed devices.
Note: It is impossible to purchase Certificate Authority that allows you to do HTTPS man-in-the-middle decryption with no warnings or installation onto clients.
The Signing CA contains some details that admins may want to customize for their organization. For full customization administrators need to create the CA separate from the UTM. Some customizations are available by regenerating the CA on the firewall. Regenerating the signing CA requires it to be redeployed out to machines which were using the old CA.
Note: When using a self-signed cert or one signed for your local domain, the CA will still need to be deployed to all client machines or they will have an error when attempting to browse the web through the HTTPS proxy.
Administrators using an intermediate CA as a Signing CA, need to install the root CA as a Verification CA for the Signing CA to work. If it is not a root CA the UTM needs the certificate chain up to its root CA.
Note: When using a self-signed cert or one signed for your local domain, the Intermediate CA will still need to be deployed to all client machines or they will have an error when attempting to browse the web through the HTTPS proxy.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.