Sophos Firewall: export certificates with private key from certificate store

By Andreas Walker 5 Mar, 2023

When using the Web Application Firewall (WAF) of the Sophos firewalls (Sophos XG / Sophos XGS), you may create the CSR in the certificate manager of the firewall and then upload the certificate directly to the firewalls certificate store. However, if you want to include this certificate with other services or servers, you need the certificate’s private key. This is not exportable at first sight. There is no download option for certificates and private keys in the “Certificates” section. However, it is possible to export the certificate and its private key via a backup function without using any shell black magic.

How to: export certificate from Sophos Firewall

The follwoing tutorial was made using my Home Lab Firewall with SFOS 19.5.0 GA-Build197. The appearance of the menus may differ slightly in earlier or later versions. To extract the certificates from the configuration download you need an decompression tool which can handle TAR archives. I used 7-Zip for this purpose while creating the manual.

As mentioned before, the “Certificates” section does not contain a function to download the certificate. You can only replace or delete already existing certificates.

Does not provide a way to download-option for certificates: Certificates section on Sophos Firewall

However, the certificate can be exported using the “Imort export” function in the “Backup & Firmware” area. Select “Export selective configuration” in the lower part (Export). Then search for “Certificate” in the search box, check it and apply it to the selection by clicking “Apply”. Also check “include dependent entity” and click on “Export” to start the export process.

Certificate export via the “Import export” function in the “Backup & firmare” area on a Sophos firewall

Since all certificates including all CA certificates are exported during this process, it takes a moment to generate the export file. As soon as the export is ready for download, a popup appears in which the download can be started.

The downloaded TAR file can then either be unpacked or opened with the FileManager of an unpacker such as 7-Zip.

Opening the exported TAR archive with 7-Zip File Manager

Inside the archive, the certificates are in PEM format under .\Files\CertificateFile.
The private key can be found in the archive under .\Files\PrivateKeyFile.
The required .pem and .key files are each located in numbered subfolders. (See screenshots below)

Certificate file in PEM format in TAR archive
Private key in the TAR archive

lete certificate chain. The intermediate certificates must still be attached if required.

The exported certificate in .pem format contains only the public key with no intermediate certificates.

Conclusion: Export is possible, but there are more practical solutions

Although a certificate export is possible on the Sophos Firewall, it is recommended to generate the CSR on a server and then import the certificate together with the private key (e.g. as a PFX/P12 container) into the firewall. Under Windows, the “DigiCert Certificate Utility for Windows” has proven to be a useful helper. The tool is merely a GUI for Windows on-board resources.

Andreas Walker completed an apprenticeship in gastronomy and worked in this industry for almost 15 years. In addition to his work in the hospitality industry, he built up a small IT company and supported small SMEs in IT projects in his spare time. Over time, he slipped into the IT of his employer and managed the site IT of a business hotel of the internationally active hotel chain IHG. In the summer of 2019, he graduated with an Advanced Federal Diploma of Higher Education in Information Technology. Since spring 2019, Andreas Walker is working for a local IT provider in the canton of Glarus as a system engineer, where he primarily supports SME customers.