If you’re using the Sophos UTM9 as a reverse proxy then you will need to install certificates on the UTM to present to the client when they are browsing those secured sites. The UTM will need the file in the pkcs12 format.
Generate the file from your pem encoded certificates using openssl:
openssl pkcs12 -export -in <the file you got from the signing company>.crt -inkey <private key file name>.key -out <your filename>.p12
Sophos UTM9 Reverse Proxy Certificates