The On-Premise Appliance requires a Secure Sockets Layer (SSL) Certificate or Certificate Authority (CA) to run services.
- By default, Smoothwall Appliance Certificates use a self-signed Root CA.
- You can create new Root CAs, Intermediate CAs or Certificates, as well as the default dynamically generated system certificates, as needed.
Tip
Regularly review and renew your certificates and CAs as part of standard internet security best practices.
Without valid Certificates (that are in date and have not expired):
- Users can’t connect to the internet.
- You can’t apply Web Filtering policies that use HTTPS inspection.
- You can’t access the On-Premise Appliance Admin UI using HTTPS.
Read What are Smoothwall Certificates for more details before making any setup changes.
Check for a banner
- Sign in to the Smoothwall On-Premise Appliance Admin UI.
- Check your dashboard for a banner referencing certificates.
No banner
If you don’t see a banner, both the Root CA and Dynamic Certificates are valid and won’t expire within the next month.
You don’t need to take immediate action. Set a reminder for the expiry date and renew the certificates before they expire to avoid service interruptions.
Banner visible
If you see a banner that says ‘Warning: The Guardian CA certificate has expired.’, see Renew when the Guardian CA certificate has expired.
If you see a banner that says ‘Warning: The Guardian CA certificate will expire in X days.’, your certificates are close to expiring.
Image 1: Banner showing the certificate will expire soon.
Check certificate details
Go to System > Certificates > Certificates for Services. You will see either:
- Both the Root CA and Dynamic Certificates show expiration dates in the future.
- The Root CA will expire soon. The Certificate column shows the expiry date for the Root CA and certificates in red.
Image 2: Root CA and Dynamic Certificates are both valid.
Image 3: Root CA and Dynamic Certificates are expiring today.
Renew your certificates
To prevent certificate expiry and service interruptions, follow the same steps as in Renew when the Guardian CA certificate has expired.
- Renewing the certificates takes only a few minutes, but the installation time depends on the method you use and the number of devices.
- We recommend using your preferred MDM solution to deploy the new CA to devices. This approach lets you prepare devices before you replace the Default Root CA.
- To minimise service disruption, complete these steps outside working hours.