WAF - Interface hangs when signed CSR is uploaded - XG v17.1.2 MR2

Question

Hi 
 I'm a relatively new Sophos XG user running XG v17.1.2 MR2 on a home built server. Its been a steep learning curve but I now have the XG running as I want. I love the flexibility it provides! 
 Currently I run a Apache web server at home for my wife's business and noticed Its been targeted for bot attacks. I can mitigate some of these at a firewall level or by blocking IPs, but the IP keep changing. I can also try to block these at an apache level.... However, I've decided to try and implement the Sophos WAF. 
 I can add a WAF Business firewall HTTP rule without an issue, but I run SSL on the web server. So I need to upload a SSL certificate. I request a CSR from Sophos XG (Under Certificates), get it signed with ZeroSSL or Comodo SSL (both have the same issue). I download the root CA & intermediate CAs and import them to Certificates > Certificate Authority. They import fine. 
 I then import the signed SSL certificate. It imports and shows a green tick under the authority column. Everything is fine so far! 
 I go back to the Firewall > Add Firewall Rule > Add business application rule - The page loads fine. The problem occurs as soon as I select any Application Template that has a certificate, including a WAF - I just get an get the Sophos spinning waiting timer which never loads... I can refresh teh interface and login in again, delete the newly adding signed CSR and the WAF WILL load, but I have no certificate to select!!!! 
 Interestingly, a Self Signed certificate doesn't cause the issue! 
 I've tried: */ Multiple machines / browsers / mobile phones */ Various certificate authorities... */ Reverting to a backup when I first setup Sophos XG from 3 months ago which is pretty much vanilla... 
 */ Uploaded the web server certificate, and associated root/intermediate certs using Certificate > Add > Upload certificate - The authority has a green check, the new business rule loads, but my newly added certificate isnt in the drop down menu to proceed with the WAF firewall rule.. 
 
 I'm stuck on what to try next? Any help would be appreciated. I'm wondering if other people have this issue? Im even seriously considering trying UTM instead... 
 Thanks for any responses in advance.

Paul Jex · Answer

Just in case this helps anyone else.... 
 
 I was able to make the WAF work after hours of experimentation... The issue seems to be that Sophos REQUIRES the certificate to be generated with Encryption enabled to overcome this &lsquo;hang&rsquo; issue. 
 Sophos KB: 
 https://community.sophos.com/kb/en-us/123040 
 
 However, the signed certificate from Lets Encrypt / Zero SSL is not provided in a PFX format, and therefore does not have the private key or password/phrase... Without it, the Sophos web interface hangs once the .pem certificate is imported (successfully according to the Certificates page). 
 
 The workaround I found was to convert the private key (from Sophos), password (again from Sophos) and signed certificate (from LE) to a PFX format using the command: 
 openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt 
 
 Once completed, I was then able to import the certificate as a .pfx and the Sophos WAF rule no longer hangs when trying to create the rule&hellip; 
 
 I don&rsquo;t fully understand why it import successfully in *** .pem *** format yet the Sophos egg time just spins when adding a WAF rule&hellip; I&rsquo;m sure there is a bug there somewhere&hellip; 
 
 Hope this helps others.