This articles describes the steps to generate, sign and install a subordinate certificate authority (CA) for HTTPS inspection. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Go to Certificates > Certificates and click Add.
Choose Generate Certificate Signing Request (CSR) and fill the required fields accordingly.
Download the newly generated CSR
Your downloaded CSR package should include the:
Login to the Microsoft certificate server at https://<IP_address>/certsrv and select Request a Certificate.
Select Advanced certificate request.
Open the CSR file and copy the complete content without any extra line. Choose Subordinate Certificate Authority as a template.
Download the certificate in DER encoded format.
The downloaded certificate looks like this:
OpenSSL is useful tool to convert certificate. Open a command Shell and type the following OpenSSL command to convert the *.cer file into a *.pem file.
OpenSSL x509 -inform DER -in certnew.cer -out proxy.pem
Go to Certificates > Certificates Authorities and select Add to upload the newly generated *.pem file. The private key and passphrase are the files downloaded earlier when generating the CSR.
Once uploaded, the signed CA should show up under Certificates Authorities tab.
In order to use the recently uploaded signed CA, you must also add its root CA to the XG Firewall. If you do not have the root CA file, it is possible to export it from every client joined the domain or directly from the CA server. In the example below the root CA is exported from the CA server.
Go to Certificates > Certificates Authorities and select Add to upload the newly exported root CA.
Once uploaded, the root CA should show up under Certificates Authorities tab.
Go to Web > General Settings and under HTTPS Decryption and Scanning section, set the HTTPS Scanning Certificate Authority (CA) to the recently signed subordinate CA.
Go to Firewall to edit the rule controlling the traffic and enable Decrypt & Scan HTTPS under Web Malware and Content Scanning section.
Surf the Internet and you can now see the complete certificate chain (root CA and the proxy certificate) in the web browser.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.