Sophos ZTNA: Access Sophos Firewall Web Admin from ZTNA (Part 1: Get a Certificate)

DisclaimerThis information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


This Recommended Reads is Part 1 of the Series "Access the Sophos Firewall Web Admin from ZTNA.
Note: The information in this Recommended is relevant to creating a certificate without following the full series.


  • Linux or Windows machine with Certbot
  • Access to a 3rd Party Public DNS

Wildcard Certificate

By default, ZTNA needs a wild certificate signed by a Public CA; you can get one for free using Let' Encrypt and Certbot.

In my case, I installed Kali Linux in a VM, but you can use any Ubuntu distro. 

1. Open a Terminal in Kali and enter the following:

sudo apt-get update

└─$ sudo apt-get -y install certbot

(you might be asked to enter your sudo password)

After updating apt database, We can install certbot using apt-get by running the following command:

sudo apt-get -y install certbot

└─$ sudo apt-get -y install certbot

(you might be asked to enter your sudo password)

Once Certbot is installed, enter

└─$ sudo certbot certonly \
> --manual \
> --preferred-challenge=dns \
> --server \
> --agree-tos \
> --domain *

And press enter

You should get the following output, (make a note of the two values marked in red)

Note: Do NOT press enter at this time

The above asks you to create a TXT Record in your Public DNS where your domain is registered so that Let's Encrypt can confirm that you own the domain.

I am using NameCheap

In Name Cheap go to your Domain List

Find the Domain you entered in the command above (the one Let's encrypt will create the certificate for) and click Manage

Then go to Advanced DNS > Host Records

Click Add New Record


Type = TXT 

Host = _acme-challenge 

Value = pJtiCDG-LJ3RwVfrtTeUd11upx9-Ex*********A

TTL = Automatic

Note: Make sure you enter the complete value, I substituted some letters for * in the RR on purpose) 

Note: This is the format Namecheap follows for the TXT, it might be different for other DNS providers.

Wait around 2 minutes and then press enter in Kali, if your TXT record is correct and has propagated you should see the following:

The easiest way when using Kali, to see your certificate and key is by using sudo cat and then copying what you see to Notepad ++

In my case the cert and privkey are stored in etc/letsencrypt/live/

In Kali I would enter the following:

sudo cat /etc/letsencrypt/live/

Then enter your password, and you should see ---BEGIN PRIVATEKEY---

Copy ALL the text including --BEGIN PRIVATE KEY --- and ---END PRIVATE KEY----- and paste in Notepad++

Save the file as .pem in Notepad++

Do the same for the fullchain.pem (this is your certificate) 

Note: When you Cat the full fullcertificate, you’ll see 3 BEGIN and 3 END Certificates; you must copy and paste all of them in one go.

Save the File as .pem (Example cert.pem)

Keep in mind where you saved the files, as we would need them later on.

That is it for your Wildcard certificate.

[edited by: emmosophos at 11:16 PM (GMT -8) on 10 Nov 2023]