Removing the "Not secure" in browsers in Captive portal


We have a Sophos XG 330 firewall and want that captive portal should not have "Not Secure" mark in the browser. We do not want to upload a certificate into each and every endpoint system. What are the options available for us ?

- Self signed certificate would involve importing into each browser

- Is this possible by buying a SSL certificate from trusted authority like GOdaddy. ( The users access captive portal using HTTP currently, we can change that to HTTPS if needed)
(Users access the captive portal using a private IP like

  • Hi  

    Please refer to the article-

    The article will explain the scenario in detail.

  • In reply to Keyur:

    Hi Keyur thanks for the response. I actually went thru the article before posting my query here.

    Could you let me know if what we want is possible if we go with a Trusted SSL vendor like Godaddy?

  • In reply to Kandarp Desai1:


    As you have checked the article, you have referred the second method which is "Use a signed certificate by a trusted CA", it means you can use you any Trusted CA (Certificate Authority).

    There are 2 options to get Certificate from Trusted CA.

    1. Generate Certificate Signing Request (CSR) from the XG Firewall and send it to a Certificate Authority provider such as Verisign or Go daddy to sign it for you. The main benefit from this option is the customer chooses his certificate's private key (Not the CA provider). The private key has to be stored securely and never divulged.  
    2. Ask the Certificate Authority provider to generate a CSR and sign it for you. With this option, the CA provider chooses your certificate's private key on your behalf and send it to you along with its passphrase (if there is any) when your certificate is signed.

    You can opt any of the methods, you can share the article with Godaddy and explain them with the situation.

    The Certificate Authority should send you back your signed certificate with all required subordinate certificate (if there is any) to maintain the chain of trust.

    The private key and its passphrase downloaded earlier must be used when uploading the certificate. Once you complete the process, you can use the certificate for Captive Portal as well as Web admin console.

  • In reply to Keyur:

    Just to be sure, you are not talking about the SSL Inspection feature.


  • In reply to LuCar Toni:

    Hi Keyur and Lucar , I am referring to this article as well (

  • In reply to Kandarp Desai1:

    The steps involved would be as follows ( please correct if wrong ) 

    - Change the hostname of the Sophos XG firewall to an FQDN

    -Use this FQDN to get a certificate from a trusted root authority

    - Upload this certificate to the Sophos XG firewall to replace Appliance Certificate

    - Now I configure one DNS host entry that will resolve the FQDN:8090 to the internal IP

    - Captive portal now opens without any Certificate errors .


    Am i missing any steps ? Is this correct ?

  • In reply to Kandarp Desai1:

    You need to look up the difference between a FQDN and a Hostname.


    Basically XG should be only a hostname. 

    For example "XG". 

    Your Domain is "". 

    The FQDN would be 

    Your Certificate would be for 

    Your DNS would have a record for xg to your local IP Address. 


  • In reply to LuCar Toni:

    Thanks Lucar,

    That cleared a lot of things up. My main aim to do all these above things (going with Trusted CA) , is to avoid uploading of this certificate to each browser on each host ( there are a LOT of  systems in the premises) :) !!!