This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cert expire Proxy CA - UTM 9....



We've Sophos UTM 9 running on SG230, with Firmware Version: 9.600-5


Error Messages: 1 certificate(s) will expire within the next 30 days:

Proxy CA


Site-to-Site vpn has 4 active tunnels


We've redeployed Webadmin/User portal certificate, but we find the message will be email to the engineering staff the next morning with the following message "1 certificate(s) will expire within the next 30 days: Proxy CA".


Would appreciate help with this re-occurring message.


Kind regards,


This thread was automatically locked due to age.
  • The Proxy CA is the root certificate used to impersonate other websites.   It is used for all https-inspection and for block/warn on https sites even when https inspection is off.

    That certificate needs to be regenerated, because it expires (I think every 4 years).   

    To minimize downtime, a clever system manager used this process and posted it to this forum:

    • Backup your UTM configuration
    • Regenerate a new CA certificate
    • Export the new CA certificate (with private key) to a file.
    • Restore UTM from your backup, so that the old certificate is active again.
    • Distribute the new CA via GPO
    • After sufficient time for the CPO to replicate to your desktop devices, upload the new CA certificate back into UTM, and make it active.
  • Dear Douglas Foster,

    The info you've sent on the community blog was very helpful and I carried out some of the task you suggested but with a small difference. 

    The backups are done every evening so I didn't need to worry about doing another backup. 

    1. I logged onto the UTM and selected Web Protection  -> Filtering options -> HTTPS CAs -> Download ->Export as PKCS#12

    2. Once the certificate was down loaded I checked the certificate date. If the date showed the certificate was about to expire I carried out step 3.

    3. I regenerated the CA, once regenerated I download the certificate and confirm the expire date was extended.

    By running this process the problem as now been resolved.

    Once again thanks for your input.


  • Yes. but then you need to push the new root certificate to all your devuces.

Reply Children
No Data