Captive Portal certification warning

Sure. In fact you can use a public certificate for all (usable) facilities. (excluded is HTTPs inspection). 

You need to simply upload the certificate with a privat key. 

Thanks LuCar for your response.

But I opened a case with Sophos and the support engineer told me it is not possible to use public certificate with captive portal, so I need to make sure.

This should be possible.

Please advice FloSupport to review your Case. 

I am pretty sure, there was a miscommunication. 

Ok, if I want to use public certificate, do I need to redirect users with hostname of XG instead of IP of internal interface ?

What do you mean with redirect? 

I am not sure, we are talking about the same... 

All Facilities of XG can be reached by IP or a hostname. You can specify this hostname in XG itself.

So basically, you can reach XG webadmin with 172.16.16.16:4444 or XG:4444 (if XG is known as a DNS record). 

If you have bought a Certificate for hostname 'XG', you can use this certificate. 

There is an KBA for this.

https://community.sophos.com/kb/en-us/127287

And they even talk about the Captive Portal .

What do you mean with redirect? 

Ok LuCar, I will give you all the scenario.

I have a guest users and they will access internet via Captive Portal, but the problem here is that they will have a certificate warning, I need to overcome this error, what can I do ?

please, take in your consideration, that I don't have administration access to users machines.

Hi mostafa hasanin 

As Lucar mentioned, you could upload a publicly signed certificate as per the KBA: https://community.sophos.com/kb/en-us/127287

I will explain this process a little bit more.

After connecting to a wireless, most mobile OS system will open a HTTP site (iOS, Android etc.)

https://apple.stackexchange.com/questions/328370/how-captive-apple-com-is-used-by-non-apple-devices

There is a reason for using http://captive.apple.com - You can redirect this request easily to a http / https captive portal. 

https://community.sophos.com/kb/en-us/123592

You would not be able to redirect a https request. So to speak, if the client would open a https page first, you are "screwed". But most operating systems have those builtin technology to detect a non working internet connection and using a http request to get a portal.

This portal can be https.