Hey sorry I should have added.  I can SSH into the switch just fine, but when I try to access via web browser, I get the error.  Again the IP did not change, so we think it has something to do with the certificate or the way it presents the certificate or key that is causing the Sophos to flag it.

I havent done one of those before.  I have only used the crypto key generate rsa general-keys modulus 1024 command in the classroom setting.  I see the crypto pki settings in the running-config.  Do I have to re-use any of that information?  After a google search, it told me to generate a new rsa key.  I went through a spare we have and when going through the crypto command, the google search said to give it a label.  Did the show command to get the label but it said that label is reserved, so I tried the command without giving it a label which I read from google will just give it the FQDN of the switch.  Before even going through that, do I need to have something specific in there, or can it be anything?  The instructions from Google tell me this:

• Generate RSA Keys: Create a new key pair for the certificate.
  crypto key generate rsa label <label> modulus 2048
• Create a Trustpoint: Define where the certificate will be stored.

  crypto pki trustpoint <trustpoint_name>
  enrollment terminal
  rsakeypair <keypair_label>
  exit
  ``` [14]

• Generate CSR: Enroll to generate the certificate request to send to your CA.
  crypto pki enroll <trustpoint_name>
• Authenticate Trustpoint: Before importing the ID certificate, authenticate the CA (paste the CA root/intermediate certificate).
  crypto pki authenticate <trustpoint_name>
• Import Signed Certificate: Import the certificate issued by your CA.
  crypto pki import <trustpoint_name> certificate

Do I have to match the trustpoint name of whats already in there?

Hey Flavio.  I tried just typing the IP into the browser, along with http://<ip> and even http://<ip>:80 for good measure and they all redirect to https and get blocked.  These were done after clearing browser caches on Edge and Chrome.

It almost looked like it worked, but then it redirected to https again and had a red line drawn through https while still failing to load and it gave a "ERR_SSL_PROTOCOL_ERROR".

There is a current certificate on the switch.  I can see it in the “crypto pki” settings.  And as far as the insecure warning, we do get that with all of our webUIs on our switches so I am familiar with that.   Just wondering now why it would be Sophos if nothing has changed about that switch other than an IOS upgrade, and the other switch with the same IOS upgrade was not affected.

Now I think I have another issue.  I went to try and redo the keys yesterday and started with the "zeroize" command but when I went back to create the new and use the same label as the one from the running-config, it didnt work because it said the label was already reserved.  I tried removing the label portion of the command and it asked for a domain name, which I didnt want to add because its not in any of the other switches.  Now not only can I not access via http/https, I also cant SSH, only telnet.  How can I restore/rebuild the key so we can atleast get back to SSH?  Also below is the output I got from wireshark.  I hope it can provide some information, but I am a bit weary sharing PCAP files on a public forum.

>>> and it asked for a domain name, which I didnt want to add <<<
domain name and hostname this must be configure before generating the key-pair

also check if the old TLS versions (1.0,  1.1) are disabled, Sophos may be configured to accept only TLS1.2 s valid?