Suppose we have Apache 2.4 on Centos 7 as our application server. We have this server protected by a Sophos UTM.
The traffic will come from Internet via additional interface and then through WAF and then to the server.
I have tested so far there is no issue getting the traffic to the server.
Now 1. where and how do I add SSL certificate for this public IP?2. Do I add them on to the server or to Sophos UTM? or both Sophos UTM and the server? (Traffic from UTM to server is via LAN interface)
You want Sophos to use the same certificate as the real webserver, so you need to export the certificate from that machine, and include the private key. You will be prompted to create a password for the file. This should create a file in PCKS#12 format. I know how to do that in Windows, but not on Unix.
In UTM, use Webserver Protection... Certificate Management... Certificates [tab]... New Certificate [button].
Change "Method" from Generate to Upload, and enter the rest of the prompts.
You will be asked for a name. I recommend a name that indicates both the certificate name and the time range, such as "SpecialApp 2020-2021". If you omit the date qualifier, things can get confusing after several renewals. Especially now that the world is going to renewal every 12 months.
After upload, go to the Virtual Webserver properties and pick the appropriate certificate. If it is a wildcard certificate or a certificate with multiple SANs, you will be prompted for the domains (host names) that the virtual webserver should serve.