Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

[Factory] Upload and Manage Certificates on SFOS via Factory

Sophos Factory offers pre build pipelines to upload and manage certificates on a Sophos Firewall. 
For example can you upload and use Certificates like LetsEncrypt Certificates in SFOS with those Pipelines. 

If you have a Certificate already generated like described here:  [HowTo] Lets Encrypt Renewal Process with Factory 

You can simply use those certificates with the predefined Pipelines. You find them in the global catalog:

This Pipeline require the following Inputs:

Which could be extracted by a pipeline before that. Like this one:  [HowTo] Lets Encrypt Renewal Process with Factory 

In combination: 

Which will upload the certificate to the firewall. 

This would be the editor code for everything:


  - type: String
    name: Domain
    key: domain
    required: true
    visible: true
    default: false
    description: Domain to Generate and Upload
  - type: String
    name: hostname
    key: hostname
    required: true
    visible: true
    default: false
  - id: p1
    name: Lego Certificate Renewal
    type: pipeline
    depends: []
      pipeline_id: 6479fd20949984ba31087e65
      pipeline_revision_id: latest
        credential: Saleseng
        domains: '{|vars.domain|}'
        url: ''
        provider: route53
        tos: true
  - id: p2
    name: '[TEST] Upload Certificate'
    type: pipeline
      - p1
      pipeline_id: 6526c138429a74127ab653d1
      pipeline_revision_id: 652706774512ac34f47a4896
        credential: FirewallCreds
        hostname: '{|vars.hostname|}'
        port: '4444'
        name: '{|vars.domain + date_format(''yyyy-MM-dd'') |}'
        directory: '{|env.RUN_PATH + "/.lego/certificates"|}'
        certificate: '{|vars.domain + ".pem"|}'
        key: '{|vars.domain + ".key"|}'
outputs: []
    - id: p1
        x: -85
        'y': -180
      links: []
    - id: p2
        x: -85
        'y': -95
        - sourceId: p1
          sourcePort: bottom
          targetPort: top
          vertices: []

Fully automated Upload: 

Parents Reply
  • This solution still works as Wildcard Certificate and can be used everywhere else. So it is not a simple "WAF Certificate" like UTM did it. Instead you have a Wildcard Certificate to be used for everything you want (one certificate for everything within the domain). 

    This approach makes it much easier to deploy it on different solutions as well. And you could even upload it to other solutions like servers or solutions with API Access. 

    Factory is an automation tool, perfect for partners or customers to automate certain process. 

    To run factory only for Lets Encrypt might be an complicate solution, but you could do much more there as well. For example, i am refreshing LE for multiple solutions scheduled, upload code to firewalls etc. 


No Data