Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
This article provides information about how certificates are used for communications to Sophos Central from Endpoints.
Applies to the following Sophos products and versions
Sophos Central Admin
Certificate security information
In order for systems to communicate to Sophos Central, HTTPS is used for security reasons. The implementation uses a SHA-2 self-signed certificate for connection to Sophos servers at *.upe.p.hmr.sophos.com and Certificate Pinning.
Certificate Pinning ensures that the certificate being sent to the client is from Sophos because our software has built-in checks to match the certificate to prevent hijacking of the certificate. In addition, Sophos uses a self-signed certificate to prevent a compromised root Certificate Authority from overriding the certificate that Sophos has pinned.
These settings may require additional configuration in third party systems or firewall devices if they have prevented usage of self-signed certificates.
SHA-2 Signing is used for Mac Endpoints as of version 9.9.4. The MCS servers that it connects to start with "mcs2-cloudstation-*.prod.hydra.sophos.com". Windows endpoints were migrated onto these servers following the retirement of support for operating systems that do not support SHA-2 (XP/2003). All other information about self-signing and certificate pinning still applies.
[edited by: GlennSen at 8:20 AM (GMT -7) on 5 Apr 2023]