This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate expiry notification (Proxy CA)


I received an email from my Sophos instance with the subject "[][WARN-600] Certificate(s) will expire"

1 certificate(s) will expire within the next 30 days:
Proxy CA

System Uptime : 231 days 21 hours 19 minutes
System Load : 0.17
System Version : Sophos UTM 9.705-3

I know the issue is discussed both in this forum and the support KB. However, I do face a problem not addressed in these links.

In my Sophos

a) "web filtering" is not enabled

and b) the page "Web Protection > Filtering Options > HTTPS CAs" suggested in the KB is not "active", ie I cannot click or download any certificate

So my questions are:
1) I am going to be affected if this certificate expires?
2) How can I check if the certificate will auto-renew, since the page is inactive  and I cannot interact with it?



PS I have found the object from a) Support > Advanced > Resolve REF_ and b) /var/log/fallback.log

$VAR1 = {
          'ref' => 'REF_CaMet12345678',
          'lock' => '',
          'autoname' => 1,
          'hidden' => 0,
          'type' => 'meta_x509',
          'class' => 'ca',
          'data' => {
                      'issuer_hash' => '123456...',
                      'subject_hash' => '123456...',
                      'subject' => 'C=uk, L=City, O=Example, CN=Example Proxy CA,',
                      'serial' => 'ABCDEFG...',
                      'public_key_algorithm' => 'rsaEncryption',
                      'name' => 'ABCDEFG...',
                      'issuer' => 'C=uk, L=City, O=Example, CN=Example Proxy CA,',
                      'startdate' => 'Mar 30 18:00:00 2018 GMT',
                      'fingerprint' => 'AB:CD:EF:GH...',
                      'comment' => '',
                      'enddate' => 'Jun 12 00:00:00 2021 GMT',
                      'subject_alt_names' => [
                                               'IP Address:'
                      'vpn_id' => '',
                      'vpn_id_type' => 'ipv4_address'
          'nodel' => ''

This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    If you're not using the web proxy, you don't have to worry about this proxy CA notification. 

    You could turn off the notification from Management > Notifications > search for WARN-600, or another option would be to get a temporary license for Web Protection(If not licensed) and regenerate the Proxy CA from Web Protection > Filtering Options > HTTPS CAs > Regenerate. 

    If you already have the license for the web filtering, you could turn it on and regenerate the certificate and then turn it off. 


  • Hi Thanks for the prompt answer

    Indeed, turning on the "Web Protection", regenerating the certificate and then turning it off again, seems to work.



Reply Children