WAF domains will not be covered?

Hey Paul,  Thanks for reaching out to Sophos Community

If you use HTTPS (443) in the WAF rule and add the certificate, Then the WAF rule will only allow you to add the domains which are defined in either CN (Common Name) of the certificate or the SAN (Subject Alternative Name). 

If you generated the CSR with CN 'domainname.com' and nothing in SAN, then the certificate is only valid for 'domainname.com' and not for any other subdomains (remote.domainname.com, mail.domainname.com etc..)

You'll either need to define SAN or use a wildcard domainname (*.domainname.com).

The certificate was issued to the same domain that I entered into the 'Domains' field in the firewall. I have used remote.companyname.com for all of this. Also, the forwarding is working, so the rule must be doing something as there are no other rules that would forward 443 to that internal server. But, when I access the site from inside or outside and look at the cert details presented in the browser, they are the details for the cert installed on the server itself and not the one on the firewall (I can tell by the issue date). Should I not have a cert on the server?

How did you upload the CSR back to the firewall? 

I generated the CSR in the certificates section of the firewall and provided that to my provider. Once I got the cert back from my provider, I went back to that section and chose the 'upload' option next to that cert. It needed a .CER file and the provider gave me a .CRT file, so I opened the .CRT in windows and exported as a .CER and imported it. The firewall took it AFAIK. Also, when uploading there was no place to choose a .KEY file and that made sense since the CSR was generated on the firewall, it would already have the key, right?

Yes, that is correct, just wanted to be sure, you did not simply uploaded the PEM/CER to the firewall as a new certificate. 

OK, so I went back to the cert location in the firewall and clicked the edit button by the cert. It allowed me to reupload the .CER file and this time there was a blank for a private key. I did have to remove it from my firewall rule first. I uploaded the CER I got from my provider and the KEY from the initial CSR and it took it. I went back to the WAF rule, set it to SSL again, and chose that cert. This time, it added www.remote.companydomain.com to the domains window...I delete it as that is NOT the domain that we access the web app with. We use remote.companydomain.com. There was no error when saving the rule this time, but when I go to the site I still get the cert that the server has, not the firewall cert. 

Do I somehow have the wrong type of cert? in the cert details, it lists the Subject Alternative Names as:

DNS Name=remote.companydomain.com
DNS Name=www.remote.companydomain.com

Perhaps that is why it added that www version? I have it but I don't need it?

The CSR and my certificate both had a subject alternative name as remote.companyname.com The certificate provider also adds in www.remote.companyname.com for compatibility reasons I guess but neither the firewall or any visitors use the www version.

My previous responses with explanations and screenshots should prove to you what I'm claiming.n

Any other ideas? I really don't want to have to get on the phone with sophos support for three or four hours or more.

Same thing is happening with me.

I have a certificate with two subjects, the WAF always gives an error saying the second SAN isn't covered by the certificate. (Only shows one.)

But If I create an WAF rule with It and bypass the warning, the certificate will be used as expected. (Without any errors for the end user, but the firewall will still scream at you.)

Can you try to create the WAF Rule with the certificate and bypass the warning? After it, report back here in the thread.

Thing is, the firewall is not giving me an error any longer when I save the rule. for all intents and purposes, the WAF rule is working since I can reach my internal server and there are no other rules that would be forwarding 443 to my server. The only issue is, the cert that my browser gets is the cert from the server itself and not the cert in the waf. I can tell by the issue dates because the SANs are the same (remote.companyname.com). This makes me think that the rule may be forwarding traffic but not actually doing any protection. 

Check the reverseproxy.log or logviewer, if you see any WAF traffic.