Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
This Recommended Read goes over how to install a Free and Valid SSL Certificate for the Sophos Firewall using zerosll.
To remove the warning page users get when entering the FQDN of the Firewall in their browser we need to install an SSL certificate signed by a valid Certificate authority, in this Recommended Read we will be going through the steps to get a free one from zerossl.com
What to do
1. Go to www.zerossl.com and click Get Free SSL on the upper right corner.
2. Create a Free Account
3. Once created in the Dashboard, go to > Create SSL Certificate, click New Certificate
4. In the SSL Certificate Setup page, enter the domain that the SSL certificate will cover
5. For Validity, select "90 days" and click Next Step
6. For CSR & Contact, DISABLE Auto-Generate CSR
7. In your Sophos Firewall, go to System > Administration > Admin and user settings, and confirm the FQDN of your Sophos Firewall
8. Go to System > Certificates > Click Add
9. Click the Radio bottom for "Generate Certificate signing request (CSR)"
10. For Name, enter the name you would like to associate with this certificate, this can be anything, but we recommend making it a meaningful one
Under the Subject name and attributes, fill out the corresponding information. Remember that the most important setting is the Common Name and email address (since the email address domain entered here will be the one used for zerossl to validate you own this domain.)
Note: Zerossl will only send a validation domain to one of the following emails:
Under Subject alternative names (SANs) define the entities for which your certificate will be valid. Entities can be DNS names or IP addresses. In this case, we will enter the FQDN of our domain and the Firewall.
11. Click SAVE, and you’ll see two arrows next to the CSR for the certificate signing request you just created, click the pointing down arrow and Copy to clipboard the CSR.
12. Go back to zerossl, enable only the 'Paste Existing CSR', then paste as plain text and click the next step
13. Select the Free "(0/month)" then click next
14. On email verification, select a valid email address (predefined by zerossl) and click Verify Domain
Note: You need to have access to this email address, as zerossl will send a verification email to this email.
15. Check your email, copy the verification key and click "Go to Verification Page"
16. Enter the verification key on Domain Control Validation (Part 2), then click next and close the window
17. You’ll receive another email shortly after, click “Install Certificate”/Go back to ZeroSSL.com, click refresh Status and Install the Certificate
18. Download the Certificate (.zip) on your Machine and extract it to a specific folder
19. Next go to the Sophos Firewall > System>Certificate>Name(zerosslnorouterid.ca) and click upload.
20. Choose File and select the certificate extracted(certificate) then import the certificate
21. Once uploaded, you probably will see a red x for Trusted. This is because the Sophos Firewall doesn't have the Certificate Authority installed.
22. Go to Certificate Authorities, Click Add, then choose file, select the “ca_bundle “then click save
23. Go back to Certificate Tab, and you should see a green tick instead of the red x. This means the certificate is trusted
24. To use the Certificate, go to System>Administration> Admin and user settings> Admin console and end-user interaction>select the newly created certificate(zerosslnorouterid.ca) then click apply and ok
25. To test. Go to your web browser and enter the hostname of the Sophos Firewall User Portal ( ex.norouterid.ca:4443)
26. You will see on the left corner of the URL that it is now secure” Connection is secure.”
[edited by: Erick Jan at 3:51 AM (GMT -7) on 4 May 2023]