SSL Certificate for XG email MTA mode


I would like to get some clarity on how to implement MTA mode on XG Firewall.

Currently I have a UTM firewall with port forwarding to an internal Exchange 2016 server with a third party SSL certificate already installed.

I want to install the XG firewall with MTA mode.

1. Do I install the SAME SSL cert on the XG? The Exchange cert has a .cer extension, but the XG requires a .pem extension. Can I convert?

2. Do I get a NEW SSL cert for the XG? If so, what happens to the existing cert on the Exchange server. Leave it there or remove?


  • The Point is, XG will be your Outbound MTA, i assume. 

    So basically it depends on your setup.

    You have to give the MTA a hostname for the SMTP transmission.

    So XG uses this SMTP hostname for the helo/ehlo.

    Do you want to use the same hostname here? Then you have to use the same certificate with privat key. It is important to give XG the privat key as well.

  • Use the same certificate
    If your certificate are installed on Windows (Exchange, IIS …)
    Open MMC and add certificates (Machine)
    Export the certificate (check box the complete certificate  chain & private key) with pfx format.
    Record the password you need later.
    With OpenSSL convert it to PEM.
    Open the PEM with text editor and separate the key to a new file .key leave the rest of the certificates intact.
    Your PEM certificate now contains all the certificate chain and the .key file your private key.
    Import the certificate in Sophos (pem + key + password) and use this for SMTP SSL.
    Et Voila !!
  • In reply to Joan Miquel Gurdo:


    Sophos XG not send the complete cerificate chain (I opened a support case)

    if you import CA ROOT, Intermediate CA, and your certificate in separated, the XG is not trusted by others.

    Some mail servers need now trusted public certificates like Gmail.

    If you instal like that you go to have some mail servers issues.

    So use my metod for that not happend.