This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proxy CA certificate is expiring

Hi guys, since some days I'm getting this error on a Sophos UTM:

1 certificate(s) will expire within the next 30 days:
Proxy CA
System Uptime      : 4 days 14 hours 13 minutes
System Load        : 0.12
System Version     : Sophos UTM 9.501-5
The box was installed on 15 April 2014, I've never configured a "Proxy CA" or uploaded any custom or public certificates
If I look for "certificates" on UTM search box I can see just 3 certificates that expire on 2038
Local X509 Cert
WebAdmin certificate
admin (X509 User Cert)
Any advice on this issue guys? Thanks for help

This thread was automatically locked due to age.
  • Has there been any update on this since a ticket was opened?  I started receiving the same emails earlier this week from our UTM.  We are running 9.509-3 on SG210s.


    Thanks in advance



    I was able to generate a new cert.  Seemed to only happen on SG115's for me.

  • The certificate re-creation was never a problem, but the mail concerning about certificate expiring soon was sent further.
    After the expiring date it stopped. Maybe they fixed it with some updates.

    Gruß / Regards,

    Sophos CE/CA (XG+UTM), Gold Partner

  • Me too I'm having the same "issue", the mail warning is annoying

  • BAlfson said:

    This appears to be a design change, Miha, and it wasn't very well publicized.  If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob



    Sorry for bringing up an old thread, but I'm getting mail from an SG115 and an SG230. The license for Web Protection was never purchased by this client, so there's no obvious way for me to see how to generate a new cert. Can these mails be safely ignored until such time as the certs expire and, I hope, the mails stop coming?




  • Please let us know if the messages do stop.

    I've sent you a PM with a way to regenerate the Proxy CA if the messages don't stop.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I'd also like to have instructions on handling this.


    Our SG230 started sending this come 10 days ago. As usual, unfortunately, our service provider/distributer does not react on the info by the UTM, nor on my e-mail requests.

    We're already looking for a new service provider, along with extending our modules. Currently we have gear from other producers still active, but wanted to replace that gear by all-Sophos and obviously just had back luck with the service provider, but have to stick to this one for some months coming.

    / rant.

    (sorry, but not getting reactions from fully maintenanced (and paid up) services is frustrating)

    Nothing coming from one of the firewalls should be treated lightly, or else why would I need security gear anyway?

    I never received documentation. Can you please provide a link explaining what the proxy CA is, why it is expiring, confirm that this is probably harmless and instruct on how to stop the informations? From reading this thread, the problem is all but new and also it is obviously not limited to a current update.




  • Hallo André and welcome to the UTM Community!

    The Proxy CA is used for Web Filtering.  Without distributing it to all browsers, you will receive certificate warnings if you browse to an HTTPS web site.  You can see where to download or regenerate it on the 'HTTPS CAs' tab of 'Web Protection >> Filtering Options'.  If you aren't filtering HTTPS browsing, you can just regenerate and it will last another three years.  If you already have distributed it to your users, you will want to repeat that process.

    You might want to read Configuring HTTP/S proxy access with AD SSO.  Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.

    My private message referred to above only had to do with a way to overcome the fact that he didn't have a Web Protection subscription.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the quick reply, Bob.

    And sorry for not being clear enough from the beginning, but that's exactly my case as well. We do not have WebProtection as of yet.


    Web protection so far is still done using a comparative solution on an inner firewall; so far we're only using the SG230 for protecting the outer DMZ by some minor packet filtering and to administrate the guest WLAN, which we have in the same zone as DMZ; switching more/all services to Sophos products is scheduled for this year.

    So, I don't have web protection, but get the warnings about the certificate running out via administrative e-mail.

    Thanks for further help in advance,



  • I'm in the same situation: since a few days these expiration warnings are coming in and we don't have Web protection license on the box.

    I would appreciate getting the fix too.