SCEP to renew certificates
When you need to manage multiple XG devices, you can use SFM to simplify your life.
If you need to use a certificate (on IPsec VPN, WAF, etc...) it's possible to upload or create a CSR under System > Certificates.
But, you need t manually renew all certificates when it's close to expire! If you manage 300 XG devices, you will need to manually renew all certificates, and access each device, to update and remember where you used a certificate that needs to be renewed.
There is the SCEP (https://www.ietf.org/proceedings/69/slides/pkix-3.pdf), supported by a wide range of CA (Cisco, Microsoft, Entrust, RSA, Netscape CA, Verising, etc..).
It allows to each device to renew the certificate when it's close to expire.
It's a must have feature on enterprise environments with security in mind (and to simplify - a Sophos slogan right?).