Hi [mention:cbeb2b3733c942719589c6116ac5747f:e9ed411860ed4f2ba0265705b8793d05],
In previous versions of the product, we had a very insecure process where downloading a CSR also included the private key, together with a text file containing the private key password. This meant that customers could do things with certificates created on the Firewall as if the Firewall was actually a serious PKI solution. It was never intended for that purpose.
For security reasons, we now prevent users to download the private key. The key is therefore kept safely and securely on the firewall.
Creating a certificate from the Default CA is intended for internal use – for example, for internal WAF connections or if you want to create a custom cert for the WebAdmin.
If you want to reuse a certificate and private key, you'll need to use another tool to create the private key and then upload the signed certificate to your firewall.
Note: The change was announced in the 18.5 MR2 release notes (https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.5) published on Nov 29, 2021.
Hope that helps,
Rémi
