Sophos Firewall: export certificates with private key from certificate store
When using the Web Application Firewall (WAF) of the Sophos firewalls (Sophos XG / Sophos XGS), you may create the CSR in the certificate manager of the firewall and then upload the certificate directly to the firewalls certificate store. However, if you want to include this certificate with other services or servers, you need the certificate’s private key. This is not exportable at first sight. There is no download option for certificates and private keys in the “Certificates” section. However, it is possible to export the certificate and its private key via a backup function without using any shell black magic.
How to: export certificate from Sophos Firewall
The follwoing tutorial was made using my Home Lab Firewall with SFOS 19.5.0 GA-Build197. The appearance of the menus may differ slightly in earlier or later versions. To extract the certificates from the configuration download you need an decompression tool which can handle TAR archives. I used 7-Zip for this purpose while creating the manual.
As mentioned before, the “Certificates” section does not contain a function to download the certificate. You can only replace or delete already existing certificates.
However, the certificate can be exported using the “Imort export” function in the “Backup & Firmware” area. Select “Export selective configuration” in the lower part (Export). Then search for “Certificate” in the search box, check it and apply it to the selection by clicking “Apply”. Also check “include dependent entity” and click on “Export” to start the export process.
Since all certificates including all CA certificates are exported during this process, it takes a moment to generate the export file. As soon as the export is ready for download, a popup appears in which the download can be started.
The downloaded TAR file can then either be unpacked or opened with the FileManager of an unpacker such as 7-Zip.
Inside the archive, the certificates are in PEM format under .\Files\CertificateFile.
The private key can be found in the archive under .\Files\PrivateKeyFile.
The required .pem and .key files are each located in numbered subfolders. (See screenshots below)
lete certificate chain. The intermediate certificates must still be attached if required.
Conclusion: Export is possible, but there are more practical solutions
Although a certificate export is possible on the Sophos Firewall, it is recommended to generate the CSR on a server and then import the certificate together with the private key (e.g. as a PFX/P12 container) into the firewall. Under Windows, the “DigiCert Certificate Utility for Windows” has proven to be a useful helper. The tool is merely a GUI for Windows on-board resources.