This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
In some situations, deploying the Root Certificate Authority (Root CA) could compromise security. You can instead use Intermediate Certificates and Intermediate Certificate Authorities (Intermediate CAs) to deploy a chain of trust.
Important
Most Smoothwall deployments do not need an Intermediate CA or Server Certificate. If you are unsure, contact Smoothwall Support to discuss your needs.
When to create Intermediate Certificates
Intermediate Certificates and Intermediate CAs are set by the validity of the Root CA. Root Certificate Authorities are valid for 24 months. Some browsers may consider the chain of trust invalid if the Root CA expires before the Intermediate Certificates and Intermediate CA.
Because of this, you should renew Intermediate Certificates and Intermediate CAs while creating a new Root CA. Set a reminder for the expiry date and renew the certificates before they expire to avoid service gaps.
Create an Intermediate Certificate or Intermediate CA
- You can create an Intermediate Certificate or Intermediate CA from a new or existing Root CA. If required, create a Root CA.
- Go to System > Certificates > Certificates for Services.
- Hover over the new Certificate Authority.
- Select New certificate.
- This enables you to define Server Alternate Names for when the Smoothwall may be registered in multiple DNS domains under different hostnames or FQDNs (fully qualified domain names). Set these fields:
- Authority: Keep this checkbox selected to create an Intermediate Certificate Authority to mint further certificates. Deselect if you instead want to make a standard Server Certificate.
- Enter a logical name for the new Certificate Authority, such as ‘Smoothwall CA 2024’.
- For Common Name, enter either:
- the hostname or FQDN for Smoothwall, such as 'smoothwall.test.local'
- where Smoothwall has a short hostname and is part of multiple domains, enter 'smoothwall'.
- Optionally, enter the Organisation the On-Premise Appliance belongs to.
- Select Advanced to add the Alternate names. Enter any Server Alternate Names your Smoothwall instance may be known by, including short hostnames, FQDNs and IP addresses.
- In Advanced, add more optional details including Email address, Department, Locality or town, State or province and Country.
- Select Save Changes.
Intermediate Certificate Authorities can then be used to create new Dynamic Certificates. The Dynamic Certificates will inherit the Server Alternate Names.