Sophos CSR

Generate a CSR from Sophos using the below template: (System > Certificates > Add > Generate certificate signing request (CSR))

You can leave most of the fields blank and only fill out the name, country name, common name and SANs. Please substitute acmecorp.com for your own custom domain.

• 1. Name: cloudflare-acmecorp.com

  2. Key type: Default

  3. Key Length: Default

  4. Secure hash: Default

  5. Country name: Country

  6. State: State

  7. Locality name: City

  8. Organization name: Acme Corp

  9. Organization unit name: Business Unit

  10. Common name: acmecorp.com

  11. Email address: name@acmecorp.com

  12. Subject Alternative Names (SANs)

      1. DNS Names:

         1. *.acmecorp.com

         2. acmecorp.com

      2. IP Address:

         1. Blank/Default

  13. Save

Head over to your certificates and click the arrow to download/copy from the newly generated CSR

Copy the CSR to clipboard and navigate to cloudflare

Cloudflare

Go to your cloudflare account, select your domain and navigate to SSL/TLS

Enable Full encryption mode and then navigate to Origin Server

Create Certificate, select "Use my private key and CSR" and paste in the CSR that you copied from the Sophos firewall.

Save the certificate and click on download. Copy the PEM formatted certificate contents, paste it into notepad save the file as "cloudflare-acmecorp.pem" and select Save as type "All files"

Once saved, go to your Sophos certificates menu and import the PEM file to the CSR. There will be no password associated to the PEM, just save it.

In Cloudflare DNS, change your website/application DNS record to "Proxied" and not "DNS only"

Sophos WAF

Create or Edit your WAF Policy according to Sophos documentation and use the cloudflare-acmecorp.com certificate that you created.

Manually insert your FQDN for your Application/Web Server app.acmecorp.com in the Domains field and save.

Ignore the error of "Following domain(s) will not be covered by selected HTTPS certificate.."

Testing