Homepage » KB article » Sophos Firewall » Install Sophos Firewall CA certificate for HTTPS scanning (SFOS)

Install Sophos Firewall CA certificate for HTTPS scanning (SFOS)

If you want to scan HTTPS traffic on Sophos Firewall, you need to import the Sophos SSL proxy certificate on the clients so that no error message appears in the browser. In this tutorial, we will show you how to set up this certificate for Internet Explorer, Edge, Firefox and Google Chrome browsers.

Download Sophos SSL CA

Log in to your Sophos Firewall (SFOS) as an administrator and use the menu to switch to the page Certificates > Certification Authority (CA). Then click on the download icon next to SecurityAppliance_SSL_CA.

You will then find the certificate under the name SecurityAppliance_SSL_CA.pem on your hard disk.

Distribute certificate via GPO (IE, Edge, Chrome)

The easiest way to distribute the certificate to all computers on the network is via a group policy in a domain. If you don't have a domain, you can see the instructions for local installation for Windows and macOS below. For now, we will explain how to distribute the certificate for the Internet ExplorerEdge and Google Chrome browser works. Since Firefox has its own certificate management, the procedure there is slightly different. We describe this further down in this article.

  1. First, log in to your Active Directory server.
  2. Open the Group Policy Management, select a policy and change to the directory Trusted root certification bodies > Certificates.
  3. Then click with the right mouse button in an empty area in the right column to open the context menu. Then select All tasks > Import....
  4. Follow the short import wizard and select the SecurityAppliance_SSL_CA.pem Certificate from.

Certificate on a local Windows computer install

If you want to import the certificate on a single Windows computer, the procedure is practically the same as if you were importing the certificate on the Active Directory server.

  1. Log in to your local Windows computer.
  2. Open via the start menu the program certmgr.msc and change to the directory Trusted root certification bodies > Certificates.
  3. Then click with the right mouse button in an empty area in the right column to open the context menu. Then select All tasks > Import....
  4. Follow the short import wizard and select the SecurityAppliance_SSL_CA.pem Certificate from.

Certificate on a local Mac computer install

On a Mac, the installation is also very simple. As you know, certificates are managed in the keychain.

  1. Open the certificate SecurityAppliance_SSL_CA.pem with a double click. After that the keychain will be opened automatically.
  2. Set the status for this certificate to Always trust.
  3. After that you can close the window and have to enter your admin password as confirmation.

Install certificate via GPO for Mozilla Firefox (Windows)

The Firefox browser from Mozilla has its own certificate management and therefore the methods described above unfortunately do not work. So if you surf the Internet with Firefox, you will have to accept a somewhat more complicated installation of the certificate.

1. download Firefox GPO template

Mozilla provides on GitHub the GPO templates for Firefox. You need the following files:

  • firefox.admx
  • mozilla.admx
  • firefox.adml
  • mozilla.adml

You can download these files individually from the Github Mozilla Repository download. Or you can download the complete policy_templates.zip where all files for Windows and macOS are included in different languages.

2. import templates on Windows

Next, these must be .admx and .adml files must still be copied to the correct folder on the Active Directory server so that they are later visible as a template in the Group Policy Management Editor. Make sure that you log in with a user that has sufficient permissions.

  1. Open Windows Explorer and go to the path C:\Windows\PolicyDefinitions. If your root partition does not have the drive letter C:, you can also call the path with a variable: 1TP1Systemroot%\PolicyDefinitions.
  2. Copy the two documents firefox.adml and mozilla.adml into this folder.
  3. The files firefox.admx and mozilla.admx are available in different languages and belong in the corresponding subfolder en-EN or en-US.

3. create guideline

  1. Now open in the group policy management editor the Administrative templates > Mozilla > Firefox > Certificates > Install Certificates.
  2. Enable the policy and paste the name of the certificate file that you previously downloaded from your firewall. At the time of this writing, the name is SecurityAppliance_SSL_CA.pem.

4. copy certificate to Windows computer

In order for the certificate to be imported when the browser is started, the .pem file must be copied to the user profile. This can also be done via the GPO. The certificate SecurityAppliance_SSL_CA.pem must be copied to the following two directories:

  • %USERPROFILE%\AppData\Local\Mozilla\Certificates
  • %USERPROFILE%\AppData\Roaming\Mozilla\Certificates

5. control Firefox certificate management

To check if everything worked, you can use the settings in Firefox to change the Certificate management open. Under the tab Certification bodies you should now find the Sophos certificate.

Info: If you want to import the certificate on a macOS or Linux system, you can find the system paths on the following page: Mozilla Wiki - Add Root Certificate to Firefox

Shopping Cart
Scroll to Top