Regenerating Web Proxy Certificate

Question

We have a UTM running 9.605-1, we use Web Filtering in Standard Mode with AD SSO & Decrypt & Scan. 
 The original certificate that came with the UTM is expiring and I have a reminder to renew it. 
 When I press the "Regenerate" button and create the new certificate, will users immediately start getting Certificate warnings in their browsers? Or will the existing certificate continue to be used until it expires? 
 I intend to deploy the new certificate via Group Policy, but would like to give relevant people a "heads up" to any potential issues when it is renewed. 
 Many thanks

Jaydeep · Accepted Answer

Hi gr33ny 
 Once you click on the "Regenerate" button and OK the details, it will generate a new Sophos Proxy CA and will start using it. So users will immediately receive errors for any HTTPS page scanned by Sophos. 
 What I used to suggest customers is to use their organization's CA (if they have one or set up PKI) and upload that in Sophos UTM to use as a Proxy CA. So they can install the CA in machines before uploading it in UTM and use it as a Proxy CA. This works well and does not require more than 2-3 minutes. 
 However, if you can stop Decrypt and Scan for the time while you install this CA in all the devices in the network, it should work fine. There might be some machines who would not install CA using GPO so you can expect some minor bumps in the process.

BAlfson · Answer

Jaydeep's suggestion is the most elegant solution. I used a different approach once with a client that didn't have their own CA, you can: 
 
 Download the current Proxy CA. 
 When the office is empty, regenerate the Proxy CA, download it and upload the original CA. 
 Distribute the new CA via GPO. 
 After a week, upload the new Proxy CA. 
 
 Cheers - Bob