Automated Certificate Renewals with WAF and Cloudflare

PREREQUISITES
  • Cloudflare Account with Custom Domain

  • On-premise Web Servers

  • Sophos XG Firewall (Home/Enterprise)

  • Static IP or DDNS Subscription (Sophos myfirewall.co will be discontinued)

  • Existing WAF policies for your web servers

SOPHOS CSR

Generate a CSR from Sophos using the below template:

You can leave most of the fields blank and only fill out the name, country name, common name and SANs. Please substitute acmecorp.com for your own custom domain.

    1. Name: cloudflare-acmecorp.com

    2. Key type: Default

    3. Key Length: Default

    4. Secure hash: Default

    5. Country name: Country

    6. State: State

    7. Locality name: City

    8. Organization name: Acme Corp

    9. Organization unit name: Business Unit

    10. Common name: acmecorp.com

    11. Email address: name@acmecorp.com

    12. Subject Alternative Names (SANs)

      1. DNS Names:

        1. *.acmecorp.com

        2. acmecorp.com

      2. IP Address:

        1. Blank/Default

    13. Save

Head over to your your certificates and download the newly generated CSR

Copy the CSR to clipboard and navigate to cloudflare

CLOUDFLARE

Go to your cloudflare account, select your domain and navigate to SSL/TLS

Enable Full encryption mode and then navigate to Origin Server

Create Certificate, select "Use my private key and CSR" and paste in the CSR that you copied from the Sophos firewall.

Save the certificate and click on download. Copy the PEM formatted certificate contents, paste it into notepad save the file as "cloudflare-acmecorp.pem" and select Save as type "All files"

Once saved, go to your Sophos certificates menu and import the PEM file to the CSR. There will be no password associated to the PEM, just save it.

In Cloudflare DNS, change your website/application DNS record to "Proxied" and not "DNS only"

SOPHOS WAF

Create or Edit your WAF Policy according to Sophos documentation and use the cloudflare-acmecorp.com certificate that you created.

Manually insert your FQDN for your Application/Web Server app.acmecorp.com in the Domains field and save.

Ignore the error of "Following domain(s) will not be covered by selected HTTPS certificate.."

TESTING

You can now test your website/application and confirm that the certificate information is from Cloudflare



Moved to RR and edited TAGs
[edited by: emmosophos at 9:58 PM (GMT -7) on 1 Sep 2021]