Download Certificate as p12

There is no reason to export the private key anymore. If you want to do a CSR, you can create the CSR and upload the signed PEM to the XG firewall, which will import the private key. 

Why do you want to have the private key? Every export of a private key means a potential security risk. 

We use in one scenario self-sign certificates create by sophos router as VPN-Certifiacte for vpn-connections between Sophos and lancom router. The lancom router accept the vpn-certifate only as p12 or pfx.

Until 18.0 MR4 it was possible to create a self-sign certifiacte in the sophos and download it as p12-certifiate.

We use in one scenario self-sign certificates create by sophos router as VPN-Certifiacte for vpn-connections between Sophos and lancom router. The lancom router accept the vpn-certifate only as p12 or pfx.

Until 18.0 MR4 it was possible to create a self-sign certifiacte in the sophos and download it as p12-certifiate.

Yes and this was disabled due security concerns. See: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-xg-firewall-v18-mr5--build-586-is-now-available

Certificate Management and Security

• Form enhancements for creating certificate signing requests and certificates
• Enhanced security for private keys
• Upload/download support for PEM format certificates
• Enhanced workflows for certificate management

I have to say: The firewall is not a CA to generate your certificate, which you can use everywhere. So actually you should import the CA of the Lancom router to get this one trusted and import the public certificate to XG firewall. 

This process of "creating a public + private key on the firewall and export it to another product" is somewhat clunky and risky to do in the first place. Certificates are meant to deal with differently. 

Thank you, that helps us. We come up with another solution in this scenario.

LuCar Toni said:

I have to say: The firewall is not a CA to generate your certificate, which you can use everywhere.

In my opinion, the firewall is the perfect candidate for being a central CA. All my devices to have the root CA trusted and so that trust is extended by issuing CA signed certs issued by the firewall. Like Erik I use locally signed certificates (w/ private keys) in this way.

The bottom line is there are still valid reasons for exporting the private key for locally generated certs from your own default CA. It would be great if there was an option to restore the download/export functionality. Thanks.

I disagree about the use case. Generally speaking: You should not export privat keys anywhere. CSR´s are the way to interact with certificates. 

A firewall is not a centralized CA to sign all CSR for you. 

If you want to work with a CA, you should build up a CA on your own and not use the firewall for such purposes. There are to many use cases not covered on a firewall product. 

Maybe in the future, the firewall will be able to sign CSRs for you, if Sophos is going into this direction but as of now, it is not a a good "workaround" to replace a official CA.

To each his own, my use case fits me fine. On the other hand, I don't have extra resources for dedicated services like a CA host.

All I'm asking for is to bring back the ability to export private keys which are mine -- and lets not forget we used be able to.

By all means continue to go against your customers and watch the competitors pass you by.

Security is always a question of how to protect this. First harden the system, then think of ways to enhance the security and get features like exports back. But right now, the first priority should always be security.