Skip to content
Avanet

Install Sophos Firewall CA certificate for HTTPS scanning (SFOS)

Sophos Firewall

If you want to scan HTTPS traffic on Sophos Firewall, you need to import the Sophos SSL proxy certificate on the clients so that no error message appears in the browser. This tutorial explains how to set up this certificate for Internet Explorer, Edge, Firefox, and Google Chrome.

Download Sophos SSL CA

Log in to your Sophos Firewall (SFOS) as an administrator and go to Certificates > Certificate authorities (CA) from the menu. Then click on the download icon next to SecurityAppliance_SSL_CA.

Download Sophos SSL CA certificate

You will find the certificate under the name SecurityAppliance_SSL_CA.pem on your hard disk.

Distribute certificate via GPO (IE, Edge, Chrome)

The easiest way to distribute the certificate to all computers on the network is via a group policy in a domain. If you don’t have a domain, you can see the instructions for local installation for Windows and macOS below. For now, we will explain how the distribution of the certificate for the Internet Explorer, Edge and Google Chrome browser works. Since Firefox has its own certificate management, the procedure there is somewhat different. We describe this later in this article.

  1. First, log in to your Active Directory server.
  2. Open Group Policy Management, select a policy and change to the directory Trusted Root Certification Authorities > Certificates.
  3. Then right-click in an empty area in the right column to open the context menu. Then select All Tasks > Import....
  4. Follow the short import wizard and select the SecurityAppliance_SSL_CA.pem certificate.
Trusted root certification bodies

Installing a certificate on a local Windows computer

If you want to import the certificate on a single Windows computer, the procedure is practically the same as if you were importing the certificate on the Active Directory server.

  1. Log in to your local Windows computer.
  2. Open the program certmgr.msc from the start menu and change to the directory Trusted Root Certification Authorities > Certificates.
  3. Then right-click in an empty area in the right column to open the context menu. Then select All Tasks > Import....
  4. Follow the short import wizard and select the SecurityAppliance_SSL_CA.pem certificate.
Trusted root certification bodies

Installing a certificate on a local Mac computer

On a Mac, the installation is also very simple. As is well known, certificates are managed there in the key ring.

  1. Open the certificate SecurityAppliance_SSL_CA.pem with a double click. After that, the keychain will be opened automatically.
  2. Set the status for this certificate to Always Trust.
  3. After that you can close the window and have to enter your admin password as confirmation.
macOS Keychain Management - Trust Certificate

Install certificate via GPO for Mozilla Firefox (Windows)

Mozilla’s Firefox browser has its own certificate management and therefore the methods described above unfortunately do not work. So if you surf the Internet with Firefox, you will have to put up with a somewhat more cumbersome installation of the certificate here.

1. Download Firefox GPO template

Mozilla provides the GPO templates for Firefox on GitHub. You need the following files:

  • firefox.admx
  • mozilla.admx
  • firefox.adml
  • mozilla.adml

You can download these files individually from the GitHub Mozilla repository. Or you can download the complete policy_templates.zip, which contains all files for Windows and macOS in different languages.

Firefox GPO template files from GitHub

2. Import templates on Windows

Next, these .admx and .adml files still need to be copied to the correct folder on the Active Directory server so that they are later visible as a template in the Group Policy Management Editor. Make sure that you log in with a user who has sufficient permissions.

  1. Open Windows Explorer and go to the path C:\Windows\PolicyDefinitions. If your root partition does not have the drive letter C:, you can also call the path with a variable: %systemroot%\PolicyDefinitions.
  2. Copy the two documents firefox.adml and mozilla.adml into this folder.
  3. The files firefox.admx and mozilla.admx are available in different languages and belong in the corresponding subfolder de-DE or en-US.
Install Firefox certificates

3. Create policy

  1. In the Group Policy Management Editor, open Administrative Templates > Mozilla > Firefox > Certificates > Install Certificates.
  2. Enable the policy and paste the name of the certificate file you downloaded from your firewall earlier. At the time of this writing, the name is SecurityAppliance_SSL_CA.pem.
GPO for Firefox

4. Copy certificate to Windows computer

In order for the certificate to be imported when the browser is started, the .pem file must be copied to the user profile. You can also do this via the GPO. The certificate SecurityAppliance_SSL_CA.pem must be copied to the following two directories:

  • %USERPROFILE%\AppData\Local\Mozilla\Certificates
  • %USERPROFILE%\AppData\Roaming\Mozilla\Certificates

5. Check Firefox certificate management

To check whether everything worked, open certificate management in the Firefox settings. You should now find the Sophos certificate under the Authorities tab.

Firefox certificate management with the Sophos certificate

Info: If you want to import the certificate on a macOS or Linux system, you can find the system paths on the following page: Mozilla Wiki - Add Root Certificate to Firefox