Download Certificate as p12

There is no reason to export the private key anymore. If you want to do a CSR, you can create the CSR and upload the signed PEM to the XG firewall, which will import the private key. 

Why do you want to have the private key? Every export of a private key means a potential security risk. 

We use in one scenario self-sign certificates create by sophos router as VPN-Certifiacte for vpn-connections between Sophos and lancom router. The lancom router accept the vpn-certifate only as p12 or pfx.

Until 18.0 MR4 it was possible to create a self-sign certifiacte in the sophos and download it as p12-certifiate.

Yes and this was disabled due security concerns. See: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-xg-firewall-v18-mr5--build-586-is-now-available

Certificate Management and Security

• Form enhancements for creating certificate signing requests and certificates
• Enhanced security for private keys
• Upload/download support for PEM format certificates
• Enhanced workflows for certificate management

I have to say: The firewall is not a CA to generate your certificate, which you can use everywhere. So actually you should import the CA of the Lancom router to get this one trusted and import the public certificate to XG firewall. 

This process of "creating a public + private key on the firewall and export it to another product" is somewhat clunky and risky to do in the first place. Certificates are meant to deal with differently. 

Thank you, that helps us. We come up with another solution in this scenario.

Thank you, that helps us. We come up with another solution in this scenario.