By visiting our site, you agree to our privacy policy regarding cookies, tracking statistics, etc.

Popular Topics
PopularView All
img resolving ssl certificate selection problems in sophos vpn
26 October 2025

Resolving SSL certificate selection problems in Sophos VPN
Total
0
Shares
0
0
0

I had this problem twice on different Sophos boxes. I installed a signed SSL certificate, tried to assign it to the SSL VPN, and the drop‑down only showed ApplianceCertificate. The firewall would not let me pick the new cert. The VPN kept presenting the old certificate. Below I list what to look for, how to diagnose, and the concrete fixes that work.

What you see

Symptoms are consistent. The SSL Certificate Selection menu in the VPN settings won’t list the cert you just uploaded. You expect to see the new certificate in the “Select server certificate” box. Instead you see lines like:

  • “Only ApplianceCertificate available in dropdown”
  • “SSL VPN – Certificate Verification Failed” (log title)

The GUI behaviour looks like this: you upload a cert, Certificates > Certificates shows the item, but VPN > Show VPN settings > SSL server certificate only contains ApplianceCertificate. The expected behaviour is that the uploaded cert appears in that dropdown so you can select it for the VPN.

You might also see client-side errors when connecting, for example the VPN client complains the server certificate does not match, or the browser/user portal still shows the old cert. Those are symptoms of the firewall presenting the wrong cert during the TLS handshake.

Where it happens

Check these GUI places in this order:

  • Certificates > Certificates. This is where the firewall lists imported certs and keys. Confirm the cert appears here and check the fields shown.
  • VPN > Show VPN settings. Open the SSL VPN settings and expand the server certificate selector; this is where the SSL Certificate Selection must be made.
  • Certificate management sections used by Admin Console or WAF. Sometimes the cert is visible to one feature and not another.

Sophos documents how the SSL VPN uses the server certificate and how to upload certificates, so check the official guidance on SSL VPN settings and on adding certificates to the appliance:

If the certificate shows under Certificates > Certificates but not in the VPN selector, the problem is a mismatch in certificate type, missing private key, or a naming conflict with the ApplianceCertificate.

Find the cause

Follow checks with specific commands and expected vs actual results.

1) Verify private key presence

  • Expected: cert entry in the GUI shows a private key attached or the file is a PKCS#12 import.
  • Quick test off the appliance: export the cert file and run locally:
    • openssl x509 -in cert.pem -noout -text
    • openssl pkcs12 -info -in cert.p12
  • If openssl reports the cert but no private key, the import was incomplete. That causes the firewall to list the cert but not make it available for server use.

2) Confirm subject name / SAN matches VPN FQDN

  • Expected: CN or SAN contains the public FQDN clients connect to.
  • Actual mismatch will make clients reject the cert even if selected.

3) Check certificate type and conflicts

  • Symptom: the only selectable cert is ApplianceCertificate. Root cause often is a duplicate FQDN or an existing appliance certificate with the same name. Sophos will refuse to replace or show a conflicting cert.
  • Another cause: the cert was imported for webserver only, not for appliance/server use. The Certificates UI lets you set usage; if that usage is wrong, the SSL Certificate Selection for VPN won’t list it.

4) Character set or format problems

  • Some Sophos versions have strict character support in certificate fields. Using non‑Latin characters in CN/SAN may block selection.

5) Logs

  • Check Logs & Reports > View local log files and inspect system and VPN logs.
  • Look for exact entries like “Certificate Verification Failed” or errors mentioning “private key missing” or “cannot load certificate”.
  • Expected: no certificate load errors when the cert is valid.

Fix

Follow these steps in order. Do only what applies.

1) Re-import the certificate correctly

  • Prefer a PKCS#12 (.p12/.pfx) that contains the certificate and private key. On your workstation confirm the p12 with openssl pkcs12 -info -in file.p12.
  • In Certificates > Certificates choose Add and import the PKCS#12. Give it a clear name.
  • If you only have PEM files, import both cert and key together and verify with openssl x509 -in cert.pem -noout -text.

2) Resolve appliance name conflicts

  • If an existing ApplianceCertificate uses the same FQDN, delete or rename the old entry first. On some SFOS versions the old appliance cert blocks replacement with the same FQDN. Remove the old certificate only after confirming it is safe to do so during a maintenance window.

3) Make the cert available to services

  • After import, open VPN > Show VPN settings and expand the SSL server certificate selector. The new cert should appear. Select it and click Apply.
  • If it still does not show, disable SSL VPN, apply, then re-enable it. Some config changes only take effect when the service restarts.

4) Adjust firewall rules

  • Confirm WAN->Firewall rule allows TCP 8443 (default SSL VPN port) to reach the firewall. If NAT or port changes hide the service, the VPN handshake may not reach the code path that presents the chosen certificate.
  • If you changed the VPN port, test connections on the new port.

5) Restart or reapply services

  • Rather than a full reboot, toggle SSL VPN off then on in VPN > Global and click Save. If the appliance still behaves oddly, plan a maintenance reboot.

Root cause I see most often: missing private key on import or a name conflict with the existing ApplianceCertificate. Re-importing as PKCS#12 and making sure the firewall knows it is a server/appliance cert fixes 9 times out of 10.

Check it’s fixed

Do these verification steps and record expected vs actual.

1) Verify certificate selection in GUI

  • Expected: VPN > Show VPN settings > SSL server certificate shows the new cert name.
  • Actual: dropdown lists the new cert and it remains selected after Apply.

2) Live test TLS handshake

  • From a client or laptop:
    • openssl s_client -connect firewall.example.com:8443 -servername firewall.example.com
  • Expected: the server presents the new certificate chain. Confirm the CN/SAN and validity dates returned by openssl match the cert you uploaded.
  • Actual mismatch indicates the appliance still serves the old cert.

3) Test VPN connectivity

  • Authenticate and establish an SSL VPN session. Check that the VPN client sees no certificate warnings and the tunnel comes up.
  • Expected: connection established, no cert name mismatch.

4) Monitor logs for errors

  • Search system and VPN logs for “Certificate Verification Failed” or “private key missing”.
  • Expected: no certificate load or verification errors during client connections.

Takeaways

  • If the cert is visible in Certificates but not selectable for the VPN, check the private key and certificate purpose first.
  • Import as PKCS#12 where possible.
  • Check for FQDN conflicts with ApplianceCertificate before replacing.
  • Use openssl s_client locally to confirm the firewall actually presents the expected certificate.
0
0
0
0
Leave a Reply

Your email address will not be published. Required fields are marked *

Prev
Weekly Tech Digest | 26 Oct 2025
weekly tech digest

Weekly Tech Digest | 26 Oct 2025

Stay updated with the latest in tech!
You May Also Like