Hi Akshay,

Thank you for reaching out to Sophos Community.

We regret to hear about your experienced and thank you for sharing your case ID.

Upon checking, your case handler has indicated some actions that can be done. You may see the following:

• The certificate can be updated through API.
• Please refer to the KB article for adding a certificate using Postman API: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesAPIAddCertificate/index.html
• You can connect with your partner to help with above mentioned POA.

API is okay I understand its doing same process.

Why not just below procedure will not work 

1. stop WAF under services

2. Disable WAF rules

3.  Certificates -> select existing -> upload certificate on renewal -> save

4. enable WAF under services

5. Enable WAF rules.

I still didn't understand when rules are disabled it should atleast work.

API is probably for just adding "Add certificates using Postman API"

For future readers who have hope on API for updating certificate 

1. If you're updating certificate which is not used in WAF it will update

2. if you're updating certificate which is already used in WAF even with API you can't update this!

Its very sad to say even sophos technical team they say with API you can update without even internally testing whether on the case of WAF it works or not!

 Erick Jan  I am sorry to say your solution is not helpful when certificate already in use.

<?xml version="1.0" encoding="UTF-8"?>
<Response APIVersion="2000.2" IPS_CAT_VER="1" IS_WIFI6="0">
    <Login>
        <status>Authentication Successful</status>
    </Login>
    <Certificate transactionid="10">
        <Status code="542">Operation failed. For details, go to https://docs.sophos.com, select XG Firewall, and select API help. Go to the module and scroll down to "Status message information".</Status>
    </Certificate>
</Response>

Hi Akshay,

Thank you for the update. I will coordinate this with your case handler for further checking. 

Thank you I am sure sophos will not resolve this issue in next few years. I never had any successful case closure in past 5 years. 

As usual mail I received which didn't solve my problem! my certificate is gonna expire on 3rd Aug 2024! I have to edit 40+ WAF  Rules isn't this amazing web interface we have ?

Email from standard template

Hello Akshay,
 
This is regarding your service request number  07455429, which you have opened with us.

Your case requires additional assistance from our global escalation specialists (GES). GES engineers are the highest technical tier within support and are responsible for interacting with our development teams. A GES engineer will review your case and provide the necessary expertise needed for resolution.

Based on the case priority and complexity, he/she will contact you with their initial analysis within a maximum of 2 business days.

If GES identifies a product defect or needs further assistance, the Development Team will be engaged. For tracking and consistency in response, these engagements are all recorded and you will be provided the tracking number.

During regular meetings between GES and our Development Teams, all related open cases are discussed and an investigation timeline is agreed upon based on the priority of the defect. We consider both the technical severity of the problem and incident frequency in determining the priority of a defect. Please keep in mind that these meetings are held weekly for non-critical issues and therefore you may not receive an update for several days. Upon completion of the investigation, the Development Team will determine when the issue will be resolved.  GES will communicate the plan to you. Once the fix has been released, you will be notified. 

Hi Akshay,

We deeply regret the inconvenience. The case is now in our GES and with the highest priority. We’ll continue to assist you with the case follow-up.

so you can replace an certificate with a new on via api. I am doing this all the time with let’s encrypt. But you need to upload a new one to the firewall and replace the current certificate with the new one in one put request. 

And you have to be mindful about the resources of Sophos in terms of prio. This situation is known to Sophos. 

Sophos is looking into addressing this situation with an upcoming release later this year. 

Sophos Support is not to place or develops fixes for missing features in the product. You can raise those concerns with your Sales engineer. 

Upload new one through api is not a problem

Example: if you have existing certificate with name  "domain-a-latest" attached to WAF rules. Sophos api doesn't allow update operations to repace the same either on web or through rest api.

Yes. That is what I am saying: you need one API call to upload the new certificate - called cert-date 

then you need a second API call to update the WAF to replace the current name with the new name. 

you cannot replace the certificate, which is in use right now. But you could do it by the approach above.

As mentioned - this will be approach in a better manner later this year by a new Sophos firewall release.