This guide shows you how to generate a CSR (Certificate Signing Request) on Sophos Firewall from the web admin console. The CSR is the file your Certificate Authority needs to issue your SSL/TLS certificate, and the matching private key is created on the firewall at the same time and never leaves it.
Note on the name: Sophos XG Firewall was rebranded to simply Sophos Firewall in 2021, starting with Sophos Firewall OS (SFOS) v18.5 and the XGS-series appliances. The operating system is still called SFOS. The steps below match current SFOS releases (v19, v20, and v21); older v17.x builds use a slightly different layout but follow the same idea.
Generate the CSR on Sophos Firewall
You can also create the CSR off the appliance with our CSR Generator, but then you have to import the private key back into Sophos as a PKCS12 (.pfx/.p12) file later. Generating it directly on the firewall keeps the key on the device and avoids that extra step.
Step 1: Open the Certificates page
Sign in to the Sophos Firewall admin console and go to Certificates > Certificates, then click Add.
Use the Certificates tab, not the Certificate Authorities tab. Your server (leaf) certificate and its CSR belong under Certificates > Certificates. The Certificate Authorities tab is only for importing CA (trust-chain) certificates, for example a private CA or a root/intermediate you want the firewall to trust.
Step 2: Choose the CSR action
For the Action, select Generate certificate signing request (CSR). The other options (Upload certificate and Generate locally-signed certificate) are for importing an already-issued certificate or for creating a self-signed certificate from the firewall’s own CA, neither of which is what you want here.
Step 3: Fill in the certificate details
Under Certificate Details, complete the following fields:
- Name: enter a clear, friendly name so you can identify the CSR (and later the certificate) on the firewall.
- Key type: choose RSA for the widest compatibility, or Elliptic curve for smaller keys and faster handshakes if your CA supports it.
- Key length (RSA): select 2048. This is the minimum any public CA will sign today; 3072 or 4096 are acceptable if your policy requires them.
- Curve name (Elliptic curve): a P-256 or P-384 curve is the typical choice.
- Secure hash: select SHA-256. Anything weaker (SHA-1, MD5) will be rejected by public CAs.
Under Subject Name Attributes, provide your organization’s details exactly as they appear in official records. Public CAs verify these against business registries for OV and EV certificates, so typos or abbreviations will cause delays.
- Country name: select your country from the drop-down (for example, Canada).
- State: write the full name of the state, province, or region where the company is registered. Do not abbreviate (for example, British Columbia, not BC).
- Locality name: the full name of the city or town (for example, Vancouver).
- Organization name: the full legal name of the company that owns the domain (for example, Your Company LLC). For a DV certificate you can put a personal name, but for OV/EV the legal entity must match company records.
- Organization unit name: optional. CAs are increasingly removing this field from issued certificates, so it is safe to leave it blank.
- Common name: the fully qualified domain name (FQDN) you are securing, for example vpn.yourdomain.com or yourdomain.com. For a wildcard certificate, use *.yourdomain.com.
- Email address: a working contact address. The CA may write to it during validation.
Step 4: Add Subject Alternative Names (SAN)
Under Subject Alternative Names (SAN), add every hostname or IP address the certificate has to cover. Browsers and modern clients ignore the Common Name and match against SANs only, so a missing SAN is the single most common reason a certificate “works” in the firewall but throws a name-mismatch error in a browser.
- Repeat the value you used in the Common Name as the first SAN entry. Most public CAs require this.
- Add any other hostnames you need (for example, portal.yourdomain.com, vpn.yourdomain.com) if you ordered a multi-domain (SAN) certificate.
- For a wildcard, the SAN can be *.yourdomain.com (and usually yourdomain.com on top).
On older SFOS builds that do not expose the SAN field, open Advanced settings and use the Certificate ID field instead, with the DNS type selected for hostnames.
Step 5: Save and download the CSR
Click Save. Sophos Firewall generates the CSR and its matching private key on the appliance, and the new entry appears in the Certificates list with CSR shown in the Type column.
To download the CSR, find your entry by the Name you gave it, then click the download icon under the Manage column. The firewall saves a .csr file to your computer. You can open it with any text editor (Notepad, TextEdit, VS Code) to copy the Base64 block, which looks like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIC...
...
-----END CERTIFICATE REQUEST-----
Before sending it to the Certificate Authority, paste the block into our CSR Decoder to confirm the Common Name, SANs, key size, and organization fields match what you intended. A bad CSR caught here saves a re-issue request later.
Submit the CSR and install the certificate
During checkout (or in your CA account afterwards), paste the entire Base64 block, including the BEGIN and END lines, into the CSR field. After the CA validates your order and issues the certificate, you import the issued files back into Sophos Firewall under Certificates > Certificates > Add > Upload certificate. The full import procedure is in our companion guide on how to install an SSL certificate on Sophos Firewall.
Important: because the private key was generated on this firewall, install the issued certificate on the same appliance. If you move to a different firewall, regenerate the CSR there or rekey the certificate, otherwise the certificate will not have a matching key on the new device.
Frequently Asked Questions
Yes. Sophos XG Firewall was renamed Sophos Firewall in 2021, alongside the launch of the XGS-series appliances and Sophos Firewall OS (SFOS) v18.5. It is the same product line; the operating system is still called SFOS. Older appliances on earlier firmware are the same platform under the previous name.
In the admin console, go to Certificates > Certificates and click Add, then set the Action to Generate certificate signing request (CSR). Do not use the Certificate Authorities tab. That tab is only for CA (trust-chain) certificates.
It stays on the firewall. Sophos Firewall does not let you download the private key from the admin console; that is by design. When the CA returns the signed certificate, you upload it back into the same firewall under Certificates > Certificates > Add > Upload certificate, and the appliance pairs it with the key that has been waiting on the device.
No, not safely. Because the private key is generated on the appliance and is not exportable through the admin console, a CSR from one Sophos Firewall is only usable on that same firewall. If you need the certificate on a different device, generate the CSR off the appliance with our CSR Generator (which gives you both the CSR and the private key as files), or rekey the certificate with your CA and start the process on the target firewall.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


