This guide explains how to install an SSL certificate on Sophos Firewall through the admin console, then how to apply it to the services that use it (the web admin console, the user portal, and VPN/WAF).
Note on the name: Sophos XG Firewall was rebranded to simply Sophos Firewall in 2021, starting with Sophos Firewall OS (SFOS) v18.5 and the XGS-series appliances. The operating system is still called SFOS. The steps below apply to current SFOS releases (v19, v20, v21, and v22); older v17.x builds use a slightly different layout but the same idea.
Generate a CSR code on Sophos Firewall
CSR stands for Certificate Signing Request: a block of encrypted text containing your contact details, such as your domain and company identity. When you apply for an SSL certificate, you submit this CSR to your Certificate Authority (CA) for validation. Along with the CSR, you also generate a private key, which stays on the Sophos system. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on Sophos Firewall.
Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your certificate, continue with the installation below.
Install an SSL certificate on Sophos Firewall
Once you have received your SSL files from the CA, you can import them into the firewall. Sophos Firewall accepts certificates in several formats, so you can upload the certificate and key separately or import a single bundled file.
What you will need
- Your SSL certificate: in .pem, .der, .cer, .p7b (PKCS7), or .pfx/.p12 (PKCS12) format. It is inside the ZIP archive you received from your CA.
- Your private key: the one generated together with the CSR. You only upload this separately if your certificate file does not already contain it. A .pfx/.p12 file already includes the key.
- The passphrase: the password protecting your private key or PKCS12 file, if you set one (maximum 30 characters).
Tip: if you generated the CSR on this same Sophos Firewall, the matching private key is already stored on the appliance. In that case, import the certificate that completes that existing request rather than uploading a separate key.
Step 1: Open the Certificates page
Sign in to the Sophos Firewall admin console and go to Certificates > Certificates, then click Add.
Do not use the Certificate Authorities tab for this. Your server (leaf) certificate belongs under Certificates. The Certificate Authorities tab is only for importing CA certificates, for example a private CA or a root/intermediate you want the firewall to trust.
Step 2: Choose how to add the certificate
For the Action, select Upload certificate (the other option, Generate locally-signed certificate, creates a self-signed certificate from the firewall’s own CA, not what you want when installing a CA-issued certificate).
Step 3: Fill in the certificate details
- Name: enter a clear, friendly name so you can identify the certificate later.
- Certificate file format: from the drop-down, select the format that matches your file: PEM, DER, CER, PKCS7, or PKCS12.
- Certificate: click Browse and select your SSL certificate file.
- Private key: click Browse and select your private key file. Skip this if you chose PKCS12, or if the key already lives on the firewall from a CSR you generated there.
- Passphrase: enter the password for the private key or PKCS12 file if it has one.
Click Save. Your certificate now appears in the list on the Certificates page, ready to be assigned to a service.
Apply the certificate to a service
Uploading a certificate does not put it into use on its own. By default the firewall keeps serving its built-in ApplianceCertificate. Tell the relevant service to use your new certificate:
- Admin console and user portal: go to System > Administration > Admin and user settings. Under Admin console and end-user interaction, set the Certificate drop-down to your newly uploaded certificate, then click Apply. The admin console reloads over the new certificate.
- SSL VPN / remote access: select the certificate as the server certificate in the relevant VPN configuration (for example under Remote access VPN or VPN > SSL VPN, depending on your SFOS version).
- Web Application Firewall (WAF) / reverse proxy: choose the certificate in the firewall rule or web server that publishes the protected site.
Heads-up: if your new certificate uses the same hostname (FQDN) as an existing entry, rename or remove the old one first. On some SFOS builds a duplicate FQDN prevents the certificate from being selected.
Test your SSL installation
After you apply the certificate, run a quick diagnostic against the service it protects to confirm the full chain is served and there are no warnings. Use our SSL checker. In a few seconds they flag missing intermediates, weak protocols, and other common issues.
You can also check from any computer with OpenSSL by pointing it at the firewall’s HTTPS service and reading the certificate it returns:
echo | openssl s_client -connect firewall.yourdomain.com:443 -servername firewall.yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates
If the certificate is installed correctly, this prints its issuer, subject, and validity dates. Replace the host and port with the address and port of the service you secured (for example the user portal or admin console port).
Where to buy the best SSL certificate for Sophos Firewall
SSL Dragon is your source for all your SSL needs. We offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are compatible with Sophos Firewall.
To help you pick the right product, we built a couple of handy tools. Our SSL Wizard recommends the best SSL deal for your project.
Frequently Asked Questions
Yes. Sophos XG Firewall was renamed Sophos Firewall in 2021, alongside the launch of the XGS-series appliances and Sophos Firewall OS (SFOS) v18.5. It is the same product line; the operating system is still called SFOS. Older appliances running earlier firmware are the same platform under the previous name.
In the admin console, go to Certificates > Certificates and click Add, then choose Upload certificate. Do not use the Certificate Authorities tab for your server certificate. That tab is only for CA (trust-chain) certificates.
Sophos Firewall supports PEM (.pem), DER (.der), CER (.cer), PKCS7 (.p7b), and PKCS12 (.pfx or .p12). A PKCS12 file bundles the certificate and the private key together, so you do not upload a separate key file for that format.
Only sometimes. If you generated the CSR on this firewall, the private key is already on the appliance, so you just import the issued certificate. If you upload a .pfx/.p12 file, the key is already inside it. You upload a separate key file only when your certificate file (for example a standalone .pem or .der) does not contain one.
This usually happens when the firewall does not have the matching private key (for example you uploaded only the certificate), or when another certificate already uses the same hostname. Re-import the certificate together with its private key (PKCS12 is the most reliable), and rename or delete any older entry that shares the same FQDN. Then select it under System > Administration > Admin and user settings.
Uploading only stores the certificate. To put it into use for the web admin console and the user portal, go to System > Administration > Admin and user settings, set the Certificate drop-down to your certificate, and click Apply. For VPN or WAF, select the certificate in the relevant VPN configuration or firewall/web-server rule.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


