Cert expire Proxy CA - UTM 9....



We've Sophos UTM 9 running on SG230, with Firmware Version: 9.600-5


Error Messages: 1 certificate(s) will expire within the next 30 days:

Proxy CA


Site-to-Site vpn has 4 active tunnels


We've redeployed Webadmin/User portal certificate, but we find the message will be email to the engineering staff the next morning with the following message "1 certificate(s) will expire within the next 30 days: Proxy CA".


Would appreciate help with this re-occurring message.


Kind regards,


  • The Proxy CA is the root certificate used to impersonate other websites.   It is used for all https-inspection and for block/warn on https sites even when https inspection is off.

    That certificate needs to be regenerated, because it expires (I think every 4 years).   

    To minimize downtime, a clever system manager used this process and posted it to this forum:

    • Backup your UTM configuration
    • Regenerate a new CA certificate
    • Export the new CA certificate (with private key) to a file.
    • Restore UTM from your backup, so that the old certificate is active again.
    • Distribute the new CA via GPO
    • After sufficient time for the CPO to replicate to your desktop devices, upload the new CA certificate back into UTM, and make it active.
  • In reply to DouglasFoster:

    Dear Douglas Foster,

    The info you've sent on the community blog was very helpful and I carried out some of the task you suggested but with a small difference. 

    The backups are done every evening so I didn't need to worry about doing another backup. 

    1. I logged onto the UTM and selected Web Protection  -> Filtering options -> HTTPS CAs -> Download ->Export as PKCS#12

    2. Once the certificate was down loaded I checked the certificate date. If the date showed the certificate was about to expire I carried out step 3.

    3. I regenerated the CA, once regenerated I download the certificate and confirm the expire date was extended.

    By running this process the problem as now been resolved.

    Once again thanks for your input.


  • In reply to PatrickBurnett1:

    Yes. but then you need to push the new root certificate to all your devuces.

  • In reply to PatrickBurnett1:

    Instead of backup and restore the UTM config, I did the following which should reduce the down time of the UTM (web filtering):

    When the existing cert. is still valid:

    1. Download existing cert. in PKCS#12 format
    2. Regen new cert.
    3. Download new cert. in PKCS#12 format
      Download new cert. in PEM format
    4. Upload existing cert. to Sophos UTM (to make web filtering to use existing cert.)
    5. Import new cert. (PEM) to AD GPO (Default Domain Policy in my case) to distribute the new cert to all AD machines

    After some time and before the existing cert expires:

    1. Upload new cert. to Sophos UTM
    2. Remove old cert. from AD GPO

    The down time (web filtering) should within 1-2 minute.

  • In reply to James Lee:

    I made this same suggestion to a client last month.  For some reason, he then had to reboot his appliance in order to get the new cert recognized after uploading it.  If anyone has a similar problem, I would first try:

    /var/mdw/scripts/httpproxy restart

    If you see this and try that, please report your result here.

    Cheers - Bob

  • In reply to BAlfson:

    Checked on my testing vm certificate upload should auto restart the web proxy service.

    Log message can be found in Web Filtering Log:

    2019:01:29-09:23:37 utm02 httpproxy[9070]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="404" message="shutdown finished, exiting"


    2019:01:29-09:24:00 utm02 httpproxy[9374]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="360" message="finished startup"



  • In reply to James Lee:

    Right, James, but that's still my recommendation and I would like to know if it makes any difference to anyone or if a complete reboot was needed and was successful.

    Cheers - Bob

  • In reply to BAlfson:

    Yep, this worked for me. i read an article on techwhoop.com , you can refer to it !