Sophos Factory: Upload LetsEncrypt Certificates on SFOS via Factory

Sophos Factory offers pre build pipelines to upload and manage certificates on a Sophos Firewall. 
For example can you upload and use Certificates like LetsEncrypt Certificates in SFOS with those Pipelines. 

If you have a Certificate already generated like described here:  [HowTo] Lets Encrypt Renewal Process with Factory 

You can simply use those certificates with the predefined Pipelines. You find them in the global catalog:

This Pipeline require the following Inputs:

Which could be extracted by a pipeline before that. Like this one:  [HowTo] Lets Encrypt Renewal Process with Factory 

In combination: 

Which will upload the certificate to the firewall. 
To integrate the Firewall, please follow the following: Sophos Factory: Integrate Sophos Factory with Sophos Firewall  

This would be the editor code for everything:


  - type: String
    name: Domain
    key: domain
    required: true
    visible: true
    default: false
    description: Domain to Generate and Upload
  - type: String
    name: hostname
    key: hostname
    required: true
    visible: true
    default: false
  - id: p1
    name: Lego Certificate Renewal
    type: pipeline
    depends: []
      pipeline_id: 6479fd20949984ba31087e65
      pipeline_revision_id: latest
        credential: Saleseng
        domains: '{|vars.domain|}'
        url: ''
        provider: route53
        tos: true
  - id: p2
    name: '[TEST] Upload Certificate'
    type: pipeline
      - p1
      pipeline_id: 6526c138429a74127ab653d1
      pipeline_revision_id: 652706774512ac34f47a4896
        credential: FirewallCreds
        hostname: '{|vars.hostname|}'
        port: '4444'
        name: '{|vars.domain + date_format(''yyyy-MM-dd'') |}'
        directory: '{|env.RUN_PATH + "/.lego/certificates"|}'
        certificate: '{|vars.domain + ".pem"|}'
        key: '{|vars.domain + ".key"|}'
outputs: []
    - id: p1
        x: -85
        'y': -180
      links: []
    - id: p2
        x: -85
        'y': -95
        - sourceId: p1
          sourcePort: bottom
          targetPort: top
          vertices: []

Fully automated Upload: 

Edited TAGs and Title
[edited by: emmosophos at 11:11 PM (GMT -7) on 1 Apr 2024]
Parents Reply Children
  • too much setup for a few Lets Encrypt certificates...

    then we would have to look for another easier solution, which unfortunately this is not.

  • This solution still works as Wildcard Certificate and can be used everywhere else. So it is not a simple "WAF Certificate" like UTM did it. Instead you have a Wildcard Certificate to be used for everything you want (one certificate for everything within the domain). 

    This approach makes it much easier to deploy it on different solutions as well. And you could even upload it to other solutions like servers or solutions with API Access. 

    Factory is an automation tool, perfect for partners or customers to automate certain process. 

    To run factory only for Lets Encrypt might be an complicate solution, but you could do much more there as well. For example, i am refreshing LE for multiple solutions scheduled, upload code to firewalls etc. 


  • Would this be appropriate for a partner to deploy and assign certificates across several hundred clients?  Seems like that would be a challenge.  Not a single wildcard cert but a cert for every company. 

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • As you can scale this, you would generate per customer one certificate and "offer the certificate to the customer". Partners doing this right now. 

    The point here is: The wildcard can be offered directly to the firewall or as multiple approaches. For example you can upload it to the firewall and send it as a S3 Bucket Download to the customer via Email or Teams. So the customer can reuse it manually, if he wants. 

    The customer in the end does one thing (one time config): He creates a CNAME to the partner domain. The rest is automatically generated by lego in this principle. I wrote about this here:  [HowTo] Lets Encrypt Renewal Process with Factory 

    Right now, i am doing this for 20 domains automatically (Upload to firewalls and offering via Teams). 

    Factory offers the way to automate this per domain, per customer individually. Which means: You build the pipeline and then recreate the customer variables one time and run this pipeline per customer automatically every 90 days. 

    It is a service offering from the partner for the customer. Some customers do not need a LE certificate, as they have no public facing services anyway. 

    And as this solution is entirely free, you are free to try it and report back about your findings.