This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
You can change the default Certificate Authority (CA) used to create Dynamic Certificates.
Before you begin
Check you have a new CA to use as the default.
Important
You must deploy the certificate. You can either:
- Use your preferred MDM solution to deploy to your domain-joined and BYO devices.
- Share the CA certificate with users, such as via email or webpage.
- Wait until you change the default and have users access the getcert page.
Change the default
- Go to System > Certificates > Certificates for Services.
- Hover over the new CA.
- Select Set Default CA.
- Read the warning carefully. You can select Cancel or X to back out.
- Select Save. Below the new CA, you’ll see a list of newly auto-generated Dynamic Certificates; the attached services now use those new certificates.
Check your services are using the new Default CA
Go to System > Certificates > Certificates for Services and look in the Used by column. If you have reassigned any services to the original Root CA, these services will not migrate over.
To assign the services to the new Root CA, select the item in the Used by column. This will take you to either:
- Guardian > HTTPS Inspection > Settings: Ensure the Certificate Authority is set to your new CA.
- System > Preferences > User interface: Ensure the User-facing HTTPS services field or the Admin UI field is set to your new CA.