Sophos UTM Web Protection HTTPS CA

Hi All,

I've been having some trouble with my Sophos UTM after upgrading to the latest version of iOS and OSX on my Apple devices. Web browsing is no longer possible on these devices due to Apple's requirements changing where keys must use key sizes greater than or equal to 2048 bits. Unfortunately, the latest update for Sophos UTM which was supposed to resolve this problem, hasn't. When using the Sophos UTM CA, certificates are still being generated at 1024 bits.

I have a Windows Domain environment setup at home. I've recently setup Microsoft Active Directory Certificate Services, where I'd like to use this as the CA for my Sophos UTM HTTPs scanning. I can't seem to find any documentation on the procedure of doing this, I've only been able to come across documentation on this for the Sophos XG Firewall. Is it possible to set Sophos UTM to use the CA of Microsoft Active Directory Certificate Services?

Any help with this would be greatly appreciated!


  • Hi RichardHughes1,

    This issue (NUTM-11202 [Web] Conform to Apple's new certificate requirements introduced in iOS13 and macOS10.15) has been fixed with firmware update. Please check out the firmware release note: UTM Up2Date 9.700 Released


  • In reply to H_Patel:

    Hi H_Patel.

    Thank you for your response and info, it's much appreciated! I'm not sure if Apple's requirements has since changed again after the latest Sophos UTM update, as the CA on the UTM is still generating 1024 bit keys. I'm currently running the latest firmware version (according to my UTM) - Firmware version:  9.700-5, Pattern version:  173849. Looking at other forum threads here, other customers are having similar problems with the latest firmware release -

    Would you know if there is any documentation on changing the Sophos UTM CA to a Microsoft Server hosted CA?

    Thanks again,

  • In reply to RichardHughes1:

    Hi RichardHughes1,

    I have updated my LAB UTM and it generates certificate with 2048 bit key, but I have noticed in some cases it still generates the certificate with 1048 bit key and it is believed to fixed with firmware update 9.7 MR1 . Workaround to this would be re-generate the certificate from backend or create new certificate using any linux system. 

    If you have SSH access to your UTM you can follow this process to re-generate the certificate.

    1. cc
    2. ca
    3. ca_proxies$
    4. Enter TAB

    You have to find the correct reference for proxy CA

    in my case it is : REF_CaSigProxyCa[Proxy CA,ca,signing_ca]

    just add "=" to that reference like below: MAIN ca/ca_proxies (REF:ca->signing_ca) > =REF_CaSigProxyCa[Proxy CA,ca,signing_ca]
    result: 1
    Proxy CA [REF_CaSigProxyCa] MAIN ca/ca_proxies (REF:ca->signing_ca) >

    This will regenerate the certificate.