Certificates and Certificate Authorities (CAs) ensure Smoothwall On-Premise Appliance provides secure web filtering, encrypted communication, and service authentication.
If you haven’t deployed certificates correctly or don’t have them set up, your end users will see errors and warnings on the Block page or SSL Login page because the device doesn’t yet know or trust the Smoothwall CA.
Tip
You don’t need to manage certificates when using Cloud Filter, as it operates within the browser.
How do certificates keep data safe?
A certificate (self-signed or signed by a CA) verifies a server or service's identity. It ensures that when you connect to a website, you reach the genuine site and not an impersonator.
A Certificate Authority (CA) issues and verifies that Certificates have been issued to the correct recipient. CAs can be known authorities or self-signed, such as the CAs you can set up in Smoothwall. Clients (such as browsers) won’t trust the Certificates issued by self-signed CAs unless they trust the CA.
As an analogy, imagine trying to access a nightclub:
- You show security a self-portrait. They don’t accept it because it’s a self-signed certificate, issued by an authority that isn’t trusted.
- You show your driver’s licence. Security accepts this because it was issued by the Government (a recognised trusted certificate authority).
- You show a club membership card. Security accepts it because they already trust the self-signed CA (the club) that issued it.
To secure encrypted connections, certificates and CAs use public key cryptography:
- Public keys can be shared freely and are used to encrypt data and verify a certificate signature.
- Private keys are kept secret by the owner (typically a server) and are used to decrypt data encrypted with the public key and to create certificate signatures.
Types of Certificates and CAs in Smoothwall
Smoothwall supports different types of certificates and ways of working with CAs. These are categorised by their purpose and where they are managed within the Smoothwall interface.
Smoothwall Certificates for services
You can create self-signed CAs. Using your default CA, you can generate dynamic certificates for various core services that are automatically updated when configurations change (such as when your hostname changes).
- HTTPS Interception Certificate Authority: This CA must be installed on every device accessing the Internet through the Smoothwall to prevent certificate errors and allow HTTPS Inspection.
- Admin UI Certificate: This is used to encrypt access to the Smoothwall Admin UI via port 441.
- User HTTPS Services Certificate: This is used for SSL Login Pages and other user-facing HTTPS services except for HTTPS Inspection.
- User Identification Certificate: This is used by the Global Proxy to authenticate users.
- Auth Certificate Authority: This was used to support a database from Maiden-4 to Maiden-11 and is no longer used. You can ignore this dynamic Certificate.
CAs to validate websites for Web Filtering
Smoothwall includes trusted CAs for all major certificate issuers, the same ones your operating system and browser use.
You can import third-party CAs from other sources to allow the Smoothwall web filter to validate HTTPS websites that are not signed by these trusted authorities. This is usually only needed for internal sites or if you use multiple filtering products.
VPN Certificates
VPN certificates and CAs are managed in a separate area and are used to authenticate both SSL and IPSEC connections.
- You can create one local VPN CA or import them from other sources.
- Any SSL VPN certificates you create will use your local CA.
You can then export the certificate to link Smoothwalls or export the certificate or CA for use on other systems.