Sophos Firewall: Installation of Multiple Certificates via PowerShell

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues

Special Thanks to  Raghuraman Rajan 

Overview

The script will install Certificates in trusted root on the local device automatically. This is to avoid the installation of SSL CA manually.

Kindly see below for reference for installing SSL CA:

support.sophos.com/.../KB-000035645

Click Cert.zip to download.

Requirements

  • Certificate must be in the following format: .crt .cer and .pem
  • The certificate directory must be the same as the script
  • Set Script Policy to RemoteSigned
  • PowerShell must be run in Administrator.

Set Script Policy to RemoteSigned

Doing this keeps the system safe by preventing unauthorized scripts from running

How to Set PowerShell Execution Policy to RemoteSigned

1. Via Setting App

Windows 11: Settings App > Privacy & Security > For developer
Windows 10: Settings App > Updated & Security > For developer

Change execution policy to allow local PowerShell script to run without signing. Require signing for remote scripts “under the PowerShell section.” Then click Apply

2. PowerShell

2.1 Launch PowerShell in elevated mode

2.2 Enter the following commands “Set-ExecutionPolicy RemoteSigned” as seen below.

For Reference: www.itechtics.com/.../

Running the Script

1. Extract the Cert.zip to desired location/directory and add the Certificates.
2. Run PowerShell in elevated mode.
Click the Start/Window button then type PowerShell, then Right click the PowerShell Icon and select Run as Administrator

3. Go to the Directory where the Script and Certificates are saved by doing the following command
cd < Path where the script is saved>

To verify you can use the command “dir”

     4. To run the script. Kindly type .\Cert.ps1 then Press Enter

*If you encounter the following issue below.

*Running script is disabled on your system and needs to be enabled by your system/network administrator

Verifying if the script was installed

Go to Run from the Start menu then enter “certlm.msc “ and verify if the Certificate was installed

Script Configuration


Set-Location $PSScriptRoot
dir -Path ".\" -filter *.crt | Import-Certificate -CertStoreLocation cert:\localmachine\root
dir -Path ".\" -filter *.cer | Import-Certificate -CertStoreLocation cert:\localmachine\root
dir -Path ".\" -filter *.pem | Import-Certificate -CertStoreLocation cert:\localmachine\root

______________________________________________________________________________________________________________________________________



Added horizontal lines below disclaimer and end of RR
[edited by: Raphael Alganes at 9:33 AM (GMT -7) on 16 Oct 2023]
  • Dear Bhaumik,

    Thanks for the guide.

    Sometimes I've seen cases where the Active Directory SSL certificate distribution didn't do its job.

    It can be used as an alternative solution if the required certificates are added to the sysvol directory and the method you share with the startup script is adapted.