Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Certificate Renewals with WAF and Cloudflare

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

NoteMake sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues


This Recommended Read goes over how to generate a Certificate for WAF using Cloudflare


  • Cloudflare Account with Custom Domain

  • On-premise Web Servers

  • Sophos Firewall (Home/Enterprise)

  • Static IP or DDNS Subscription 

  • Existing WAF policies for your web servers

Sophos CSR

Generate a CSR from Sophos using the below template: (System > Certificates > Add > Generate certificate signing request (CSR))

You can leave most of the fields blank and only fill out the name, country name, common name and SANs. Please substitute for your own custom domain.

    1. Name:

    2. Key type: Default

    3. Key Length: Default

    4. Secure hash: Default

    5. Country name: Country

    6. State: State

    7. Locality name: City

    8. Organization name: Acme Corp

    9. Organization unit name: Business Unit

    10. Common name:

    11. Email address:

    12. Subject Alternative Names (SANs)

      1. DNS Names:

        1. *


      2. IP Address:

        1. Blank/Default

    13. Save

Head over to your certificates and click the arrow to download/copy from the newly generated CSR

Copy the CSR to clipboard and navigate to cloudflare


Go to your cloudflare account, select your domain and navigate to SSL/TLS

Enable Full encryption mode and then navigate to Origin Server

Create Certificate, select "Use my private key and CSR" and paste in the CSR that you copied from the Sophos firewall.

Save the certificate and click on download. Copy the PEM formatted certificate contents, paste it into notepad save the file as "cloudflare-acmecorp.pem" and select Save as type "All files"

Once saved, go to your Sophos certificates menu and import the PEM file to the CSR. There will be no password associated to the PEM, just save it.

In Cloudflare DNS, change your website/application DNS record to "Proxied" and not "DNS only"

Sophos WAF

Create or Edit your WAF Policy according to Sophos documentation and use the certificate that you created.

Manually insert your FQDN for your Application/Web Server in the Domains field and save.

Ignore the error of "Following domain(s) will not be covered by selected HTTPS certificate.."


You can now test your website/application and confirm that the certificate information is from Cloudflare


Added note about time
[edited by: emmosophos at 4:53 PM (GMT -7) on 13 Oct 2023]
Parents Reply Children
No Data