Install Sophos Firewall CA certificate for HTTPS scanning (SFOS)

If you want to scan HTTPS traffic on the Sophos firewall, you need to import the Sophos SSL proxy certificate on the clients so that no error message appears in the browser. In this tutorial we will show you how to set up this certificate for Internet Explorer, Edge, Firefox and Google Chrome browsers.

Download Sophos SSL CA

Log in to your Sophos Firewall (SFOS) as an administrator and go to Zertifikate > Zertifizierungsstelle (CA) from the menu. Then click on the download icon next to SecurityAppliance_SSL_CA.

You will find the certificate under the name SecurityAppliance_SSL_CA.pem on your hard disk.

Distribute certificate via GPO (IE, Edge, Chrome)

The easiest way to distribute the certificate to all computers on the network is via a group policy in a domain. If you don’t have a domain, you can see the instructions for local installation for Windows and macOS below. For now, we will explain how the distribution of the certificate for the Internet Explorer, Edge and Google Chrome browser works. Since Firefox has its own certificate management, the procedure there is somewhat different. We describe this later in this article.

1. First, log in to your Active Directory server.
2. Open the Gruppenrichtlinienverwaltung, select a policy and change to the directory Vertrauenswürdige Stammzertifizierungsstellen > Zertifikate .
3. Then right-click in an empty area in the right column to open the context menu. Then select Alle Aufgaben > Importieren... .
4. Follow the short import wizard and select the SecurityAppliance_SSL_CA.pem certificate.

Installing a certificate on a local Windows computer

If you want to import the certificate on a single Windows computer, the procedure is practically the same as if you were importing the certificate on the Active Directory server.

1. Log in to your local Windows computer.
2. Open the program certmgr.msc from the start menu and change to the directory Vertrauenswürdige Stammzertifizierungsstellen > Zertifikate .
3. Then right-click in an empty area in the right column to open the context menu. Then select Alle Aufgaben > Importieren... .
4. Follow the short import wizard and select the SecurityAppliance_SSL_CA.pem certificate.

Installing a certificate on a local Mac computer

On a Mac, the installation is also very simple. As is well known, certificates are managed there in the key ring.

1. Open the certificate SecurityAppliance_SSL_CA.pem with a double click. After that, the keychain will be opened automatically.
2. Set the status for this certificate to Immer vertrauen.
3. After that you can close the window and have to enter your admin password as confirmation.

Install certificate via GPO for Mozilla Firefox (Windows)

Mozilla’s Firefox browser has its own certificate management and therefore the methods described above unfortunately do not work. So if you surf the Internet with Firefox, you will have to put up with a somewhat more cumbersome installation of the certificate here.

1. download Firefox GPO template

Mozilla provides the GPO templates for Firefox on GitHub. You need the following files:

• firefox.admx
• mozilla.admx
• firefox.adml
• mozilla.adml

You can download these files individually from the Github Mozilla repository. Or you can download the complete policy_templates.zip, which contains all files for Windows and macOS in different languages.

2. import templates on Windows

Next, these .admx and .adml files still need to be copied to the correct folder on the Active Directory server so that they are later visible as a template in the Group Policy Management Editor. Make sure that you log in with a user who has sufficient permissions.

1. Open Windows Explorer and go to the path C:\Windows\PolicyDefinitions. If your root partition does not have the drive letter C:, you can also call the path with a variable: %systemroot%\PolicyDefinitions.
2. Copy the two documents firefox.adml and mozilla.adml into this folder.
3. The files firefox.admx and mozilla.admx are available in different languages and belong in the corresponding subfolder de-DE or en-US.

3. create guideline

1. Now open in the group policy management editor the Administrativen Vorlagen > Mozilla > Firefox > Zertifikate > Install Certificates.
2. Enable the policy and paste the name of the certificate file you downloaded from your firewall earlier. At the time of this writing, the name is SecurityAppliance_SSL_CA.pem.

4. copy certificate to Windows computer

In order for the certificate to be imported when the browser is started, the .pem file must be copied to the user profile. You can also do this via the GPO. The certificate SecurityAppliance_SSL_CA.pem must be copied to the following two directories:

• %USERPROFILE%
• %USERPROFILE%

5. control Firefox certificate management

To check if everything worked, you can open the certificate management via the settings in Firefox. Under the tab Zertifizierungsstellen you should now find the Sophos certificate.

Info: If you want to import the certificate on a macOS or Linux system, you can find the system paths on the following page: Mozilla Wiki – Add Root Certificate to Firefox