When the vendors HowTo's are not rebuilding the reality or "Install a subordinate certificate authority (CA) for HTTPS inspection" is wrong

Just for someone else with the same problem, I had a ticket with Sophos (for months just to get this answer...) because I didn't get this one working: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesInstallSubordinateCAForHTTPSInspection/index.html#generate-a-certificate-signing-request-csr. Problem began for us in 18.5 but it is the same in 19.0 (don't know if this one worked ever...).

I was told that this is not possible. After I asked again that they want to tell me that the HowTo from themselves is wrong it was confirmed. So if someone want's to do this you have to do it another way against what the help will tell you...

To have some additional benefit from this topic: I can recommend the DigiCertutil for that purpose: https://www.digicert.com/support/tools/certificate-utility-for-windows

But as a last word here: for me it is ridiculous to wait for months for a useful answer and then the answer is simply "Yes, that's right it is not possible you can use the certificate used by CSR of XG for web services like UI access, WAF, etc...but not for proxy or email..etc." instead of: Yeah you are right, we are fixing it like described in the HowTo. At least it would be of sense to delete the wrong entry in the help asap...

Added TAGs
[edited by: emmosophos at 10:18 PM (GMT -7) on 6 Jul 2022]