This article provides information about how certificates are used for communications to Sophos Central from Endpoints. The following sections are covered:
Applies to the following Sophos products and versions Sophos Central AdminCentral Endpoint Standard 11.5.5
In order for systems to communicate to Sophos Central, HTTPS is used for security reasons. The implementation uses a SHA-1 self-signed certificate for connection to Sophos servers at *.upe.p.hmr.sophos.com and Certificate Pinning. SHA-1 signing is used for connections from older operating systems that do not support later standards such as SHA-2 signing.
Certificate Pinning ensures that the certificate being sent to the client is from Sophos because our software has built-in checks to match the certificate to prevent hijacking of the certificate. In addition, Sophos uses a self-signed certificate to prevent a compromised root Certificate Authority from overriding the certificate that Sophos has pinned.
These settings may require additional configuration in third party systems or firewall devices if they have prevented usage of SHA-1 signed or self-signed certificates.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.