Cloudflare Account with Custom Domain
On-premise Web Servers
Sophos XG Firewall (Home/Enterprise)
Static IP or DDNS Subscription (Sophos myfirewall.co will be discontinued)
Existing WAF policies for your web servers
Generate a CSR from Sophos using the below template:
You can leave most of the fields blank and only fill out the name, country name, common name and SANs. Please substitute acmecorp.com for your own custom domain.
Key type: Default
Key Length: Default
Secure hash: Default
Country name: Country
Locality name: City
Organization name: Acme Corp
Organization unit name: Business Unit
Common name: acmecorp.com
Email address: firstname.lastname@example.org
Subject Alternative Names (SANs)
Head over to your your certificates and download the newly generated CSR
Copy the CSR to clipboard and navigate to cloudflare
Go to your cloudflare account, select your domain and navigate to SSL/TLS
Enable Full encryption mode and then navigate to Origin Server
Create Certificate, select "Use my private key and CSR" and paste in the CSR that you copied from the Sophos firewall.
Save the certificate and click on download. Copy the PEM formatted certificate contents, paste it into notepad save the file as "cloudflare-acmecorp.pem" and select Save as type "All files"
Once saved, go to your Sophos certificates menu and import the PEM file to the CSR. There will be no password associated to the PEM, just save it.
In Cloudflare DNS, change your website/application DNS record to "Proxied" and not "DNS only"
Create or Edit your WAF Policy according to Sophos documentation and use the cloudflare-acmecorp.com certificate that you created.
Manually insert your FQDN for your Application/Web Server app.acmecorp.com in the Domains field and save.
Ignore the error of "Following domain(s) will not be covered by selected HTTPS certificate.."
You can now test your website/application and confirm that the certificate information is from Cloudflare
Thank you for your contribution to the Sophos Community.