Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Install a Free and Valid SSL Certificate

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues


Overview

This Recommended Read goes over how to install a Free and Valid  SSL Certificate for the Sophos Firewall using zerosll.

To remove the warning page, users get when entering the FQDN of the Firewall in their browser, we need to install an SSL certificate signed by a valid Certificate authority. In this Recommended Read, we’ll be going through the steps to get a free one from zerossl.com 

Registration in ZeroSSL with Sophos Firewall

Step 1. www.zerossl.com

Go to www.zerossl.com and click Get Free SSL in the upper right corner.

Step 2. Create a Free Account  

Step 3. Create SSL Certificate

Once created in the Dashboard, go to  > Create SSL Certificate and click New Certificate.

Step 4. Enter Domain

On the SSL Certificate Setup page, enter the domain that the SSL certificate will cover.

Step 5. Validity

For Validity, select "90 days" and click Next Step

Step 6. Auto Generate CSR

For CSR & Contact, DISABLE Auto-Generate CSR

Step 7. FQDN

In your Sophos Firewall, go to System > Administration > Admin and user settings, and confirm the FQDN of your Sophos Firewall 

Step 8. Add Certificate

Go to System > Certificates > Click Add 

Step 9. Certificate Signing Request

Click the Radio bottom for "Generate Certificate signing request (CSR)"

Step 10. Certificate Name

For Name, enter the name you want to associate with this certificate. This can be anything, but we recommend making it a meaningful one. 

Under the Subject name and attributes, fill out the corresponding information. Remember that the most important setting is the Common Name and email address (since the email address domain entered here will be the one used for zerossl to validate you own this domain.)

Note: Zerossl will only send a validation domain to one of the following emails: 

Under Subject alternative names (SANs) define the entities for which your certificate will be valid. Entities can be DNS names or IP addresses. In this case, we’ll enter the FQDN of our domain and the Firewall. 

Step 11. Download CSR

Click SAVE, and you’ll see two arrows next to the CSR for the certificate signing request you just created. Click the pointing down arrow and Copy to clipboard the CSR.

Step 12. Copying CSR to ZeroSSL

Return to zerossl, turn on only the 'Paste Existing CSR', then paste as plain text and click the next step.

Step 13. Finalizing Order

Select the Free "(0/month)" then click next

Step 14. Email Verification

 On email verification, select a valid email address (predefined by zerossl) and click Verify Domain.

Note: You need to have access to this email address, as zerossl will send a verification email to this email.

Step 15. Verification Page

Check your email, copy the verification key, and click "Go to Verification Page."

Step 16. Verification Key

Enter the verification key on Domain Control Validation (Part 2), then click next and close the window.

Step 17. Install Certificate

You’ll receive another email shortly after. click “Install Certificate”/Go back to ZeroSSL.com, click refresh Status, and Install the Certificate.

Step 18. Download Certificate

Download the Certificate (.zip) on your Machine and extract it to a specific folder.

Step 19. Upload the Certificate

Next, go to the Sophos Firewall > System>Certificate>Name(zerosslnorouterid.ca) and click upload.

Step 20. Import Certificate

Choose File and select the certificate extracted(certificate), then import the certificate.

Step 21. Imported Successfully

Once uploaded, you probably will see a red x for Trusted. This is because the Sophos Firewall doesn't have the Certificate Authority installed. 

Step 22. Add ca_bundle

Go to Certificate Authorities, Click Add, then choose file, select the “ca_bundle “then click save

Step 23. Verify if the Certificate is trusted

Return to the Certificate Tab. You'll see a green tick instead of the red x. This means the certificate is trusted

Step 24. Admin and User Settings

To use the Certificate, go to System>Administration> Admin and user settings> Admin console and end-user interaction>select the newly created certificate(zerosslnorouterid.ca), then click apply and ok

Step 25. Testing

To test. Go to your web browser and enter the hostname of the Sophos Firewall User Portal ( ex.norouterid.ca:4443)

Step 26. Verify the Secure Connection

You’ll see on the left corner of the URL that it is now secure:” Connection is secure.”





Added note about time
[edited by: emmosophos at 4:59 PM (GMT -7) on 13 Oct 2023]
Parents
  • A great article, thanks.
    .. but only a workaround because LetsEncryp is still not implemented yet


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • A great article, thanks.
    .. but only a workaround because LetsEncryp is still not implemented yet


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
No Data