Summary
This article explains what to do in the event of seeing certificate errors when browsing to secure (HTTPS) websites.
Problem
After enabling HTTPS Decrypt and Inspect, you get certificate warning messages and errors, which in some cases stop you from accessing the site entirely.
One cause of this is due to the browser not having the Man-in-the-Middle certificate authority issued by the Smoothwall in it's trusted root certificate store.
Solution
If no certificate authority exists or the existing one has expired, a new Certificate Authority needs to be created.
To create a new root certificate:
- Go to System > Certificates > Certificates for services.
- From the Certificates section heading, click New root CA. The Add new root Certificate Authority dialog box is displayed.
- In the Name field, give the certificate a user-friendly name.
- The Common name field should be set to the Smoothwall’s fully qualified domain name (this can be found by going to System > Preferences > Hostname).
- Click Save changes.
To change the default certificate authority:
- Go to System > Certificates > Certificates for services.
- Hover over the newly created CA, and click Set default CA.
- Ensure that all services are using the newly created Root CA:
If any of the services are still using another CA, please click on the links under the Used by column.
- Select the root CA to be used for Guardian HTTPS inspection:
- Click on the Guardian HTTPS inspection link or go to Guardian > HTTPS inspection > Settings
- In the Manage HTTPS interception certificates section, from the Certificate Authority drop-down list select the new root CA
- To export the certificate from the Smoothwall and import it to your browser:
- Go to http://<IPAddress_or_Hostname>/getcert
- Click the Download Certificate button
- Select your browser/operating system to import the certificate
- To distribute the certificate through Group Policy Object, see: Automate Certificate Installation with Active Directory When Using SSL Login