Import a Public Signed Certificate to Sophos UTM Web Application Security

From Bonus Bits
Jump to: navigation, search


This article gives the steps to add a Trusted SSL Certificate to Sophos United Threat Management (UTM) 9 . To terminate HTTPS at UTM and then pass HTTP to backend web servers using Webserer Protection feature of UTM.


Combine Generated Cert with CA Cert/s CRTs

If the provider doesn't return a chain or combined file that includes your generated cert and their CA certs then you'll need to combine them into a new file.

  1. cat cert1.crt cert2.crt > combined.crt
    cat *.crt > combined.crt
    cat www_bonusbits_com.crt > combined.crt

Convert CRT to P12

  1. Convert SSL Certificate to PKCS12 format with CA Included.
    openssl pkcs12 -export -in combined.crt -inkey <private key file name>.key -out <your filename>.p12
    openssl pkcs12 -export -in combined.crt -inkey -out
    Add CA Cert (Option 2 - WIthout Combining Certs)
    openssl pkcs12 -export -in -inkey -out -certfile COMODORSAAddTrustCA.crt
  2. Enter Password

Warning.png A Password Must be Entered Or when you attempt to upload to UTM it will error.

Import to UTM

  1. Open UTM Web Console
  2. Browse to Webserver Protection | Certificate Management | Certificates
  3. Select New Certificate
  4. Name the Certificate
    1. i.e.
  5. Select Method | Upload
  6. Select File Type | PKCS#12 (Cert+CA)
  7. Select File
  8. Browse to file folder icon
  9. Select Choose File
  10. Browse local system for .p12 file
  11. Select Open | Start Upload
  12. Enter Password set during conversion (If any)
  13. Save

Add/Update Virtual Web Server

  1. Open Web Console
  2. Select Web Application Security | Virtual Web Servers
  3. Select Add/Edit
  4. Select Type | SSL (HTTPS)
  5. Select certificate
  6. ...
  7. Save

Update Existing

There isn't a direct way to replace an imported SSL cert in UTM 9. Simply add the new one with a different name and switch to the new cert. Then delete the old.