How to install SSL CA Certificate for Sophos HTTPS Scanning

If you want to scan HTTPS traffic on the Sophos Firewall, you must import the Sophos SSL Proxy certificate on the clients so that no error message appears in the browser. This guide will show you how to set up this certificate for Internet Explorer, Edge, Firefox and Google Chrome browsers.

Download Sophos SSL CA

Log on to your Sophos Firewall (SFOS) as an administrator and go to the Certificates > Certificate authorities page from the menu. Then click on the download icon next to SecurityAppliance_SSL_CA.

Download the Sophos SSL CA certificate.

Afterwards you will find the certificate under the name SecurityAppliance_SSL_CA.pem on your hard disk.

Distribute certificate via GPO (IE, Edge, Chrome)

The easiest way to distribute the certificate to all computers on the network is through Group Policy in a domain. If you don’t have a domain, see the instructions below for local installation for Windows and macOS. We’ll first explain how to distribute the certificate for the Internet Explorer, Edge and Google Chrome browsers. Since Firefox has its own certificate management, the procedure is a bit different there. This is described later in this article.

  1. Log in to your Active Directory Server first.
  2. Open the program certmgr.msc and change to the directory Trusted Root Certification Authorities > Certificates.
  3. Right-click on an empty area in the right column to open the context menu. Then select All Tasks > Import....
  4. follow the short import wizard and select the SecurityAppliance_SSL_CA.pem certificate.
Trusted Root Certification Authorities

Install the certificate on a local Windows computer

If you want to import the certificate on a single Windows computer, the procedure is practically the same as if you were importing the certificate on the Active Directory server.

  1. Log in to your local Windows computer.
  2. Open the program certmgr.msc via the start menu and change to the directory Trusted Root Certification Authorities > Certificates.
  3. Right-click on an empty area in the right column to open the context menu. Then select All Tasks > Import....
  4. follow the short import wizard and select the SecurityAppliance_SSL_CA.pem certificate.
Trusted Root Certification Authorities

Install the certificate on a local Mac computer.

On a Mac, installation is also very simple. As you know, certificates are managed there in a keychain.

  1. Open the certificate SecurityAppliance_SSL_CA.pem with a double click. Then the keychain will be opened automatically.
  2. set the status for this certificate to Always trust.
  3. After that you can close the window and enter your admin password as confirmation.
macOS keychain management - Trust certificate

Install certificate via GPO for Mozilla Firefox (Windows)

Mozilla’s Firefox browser has its own certificate management and therefore the methods described above do not work. So if you surf the Internet with Firefox, you have to accept a more complicated installation of the certificate.

1. Download Firefox GPO Template

Mozilla provides the GPO templates for Firefox on GitHub. You need the following files:

  • firefox.admx
  • mozilla.admx
  • firefox.adml
  • mozilla.adml

You can download these files individually from the Github Mozilla Repository. Or you can download the complete policy_templates.zip which contains all files for Windows and macOS in different languages.

Firefox GPO template files from GitHub

2. Import templates to Windows

Next, these .admx and .adml files must be copied to the correct folder on the Active Directory server so that they can later be seen as a template in the Local Group Policy Editor. Make sure that you log in with a user who has sufficient permissions.

  1. Open the Windows Explorer and go to the path C:\Windows\PolicyDefinitions. If your root partition does not have the drive letter C:, you can also call the path with a variable: %systemroot%\PolicyDefinitions.
  2. Copy the two documents firefox.adml and mozilla.adml into this folder.
  3. The files firefox.admx and mozilla.admx are available in different languages and belong to the corresponding subfolders de-DE or en-US.
Copy firefox.adml and mozilla.adml files to the PolicyDefinitions folder.

3. Create policy

  1. Open the Administrative Templates > Mozilla > Firefox > Certificates > Install Certificates in the Local Group Policy Editor. 2 Activate the policy and add the name of the certificate file you downloaded from your Firewall. At the time of this writing, the name is SecurityAppliance_SSL_CA.pem.
Install Firefox certificates

4. Copy certificate to Windows computer

To import the certificate when starting the browser, the .pem file must be copied into the user profile. You can also do this via the GPO. The certificate SecurityAppliance_SSL_CA.pem must be copied into the following two directories:

  • %USERPROFILE%\AppData\Local\Mozilla\Certificates
  • %USERPROFILE%\AppData\Roaming\Mozilla\Certificates

5. Control Firefox certificate management

To check if everything worked, you can open the Certificate Manager via the settings in Firefox. You should now find the Sophos certificate under the Authorities tab.

Firefox certificate management with the Sophos certificate.

Info: If you want to import the certificate on a macOS or Linux system, you can find the system paths on the following page: Mozilla Wiki - Add Root Certificate to Firefox