This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Root Certificate automatically included by WAF of Sophos Firewall?

Hi everyone!

We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1).

We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate.

But, when we check the site with a tool like we see that the server (e.g. the Sophos Firewall) also sends the root certificate. Which is not what we want and which we don't see when we check sites like

Are we correct to assume that this is done by the XGS? Is that intentional? Is there a way to circumvent this?


Best regards,


This thread was automatically locked due to age.
Parents Reply Children
  • What is the reason you don't like the root cert to be sent?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp!

    Thanks for the answer.

    Well, if I read this:

    ("Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain" [...] "that the extra certificate (which serves no purpose) is increasing the handshake latency")


    ("You do not need to include the root certificate in the certificate chain that you serve, since clients already have the root certificate in their trust stores. Including the root is inefficient since it increases the size of the SSL handshake.")

    it is best practice to not sent the root certificate, as far as I understand it. The root cert should always already be known by the client.
    And, as I wrote, other professional sites do not sent the root cert, like Microsoft or Google. That's a further sign that it should not be sent by the Sophos Firewall.