Certificate Authorities (CA) on a Smoothwall that are used for HTTPS inspection have a standard lifetime of three years, see the Entrust Datacard article, Maximum Certificate Lifetime Drops to 825-days in 2018. This means that you need to replace them when they expire. Here are the best practises for generating a new CA and a checklist to follow:
- Create a new CA.
- Export and push the new CA to domain devices.
- Optional: Replace the CA on any external resources made available for BYOD devices.
- Optional: Send your users an email with the new CA attached for them to import on their own devices.
- Optional: Create a new certificate for the user-facing HTTPS services. A certificate will be created automatically following this process, but you can modify a custom one with IP addresses and host names to better match the host names and IP addresses on the Smoothwall.
- Set the new CA to be the default CA as well as the CA used for HTTPS inspection and change the user facing HTTPS services certificate to the new one.
- To create a new CA, in the Smoothwall, on the SYSTEM menu, under the Certificates submenu, click Certificates for services.
- To create a completely new CA click New root CA button at the top-right of the page. When creating a CA, we recommend that you add proper ownership information to the CA. While it's not mandatory information, it's helpful for both administrators and users to identify the source of the CA and the certificates created.
- Enter a descriptive Name and copy it for the Common Name.
- Click Advanced» to expand the advanced section and fill in the rest of the values.
- Click Save changes and check the new CA in the certificate list.
For more information please see our help topic: Adding a root certificate authority.
Preparing the switch-over
Before you can set the new CA as the default and the one used for HTTPS inspection, you need to push the CA to the domain devices and make it available to BYOD users. Replace the CA on any web page link that you might have created on your own homepage. Don't worry about the HTTPS CA download page on the Smoothwall because that happens automatically once you have set the new CA to be the HTTPS inspection CA.
Optionally, send out an email with the new CA attached as well as installation instructions.
Note: The old CA does not need to be deleted from end user or domain devices.
Optionally, you can create a custom certificate and use it for the user facing HTTPS services on the Smoothwall. One gets generated automatically when we set the new CA to be the default CA but you can modify a custom one with all the variations of IP addresses and host names used by users to access the Smoothwall to avoid any identity errors on browsers. To do this, go through the following steps:
- Place your mouse cursor over the new CA in the certificates list and click New certificate.
- For the Authority option, clear the "Allow this certificate to sign others" selection.
- Enter a descriptive Name.
- Enter the Smoothwall's host name for the Common name.
- Click Advanced» to expand the advanced section and for the Alternate Names, enter all the combinations of the host names and IP addresses that the Smoothwall can be accessed by. Place each new value on a new line. These are the identities that are added to the certificate, so that if users access the Smoothwall by IP or host name, they won't get a mismatch between the identity value in the certificate and the address used by the user.
The values should list like this example:
- Enter any other optional information for the advanced section and click Save changes.
When you have pushed out the new CA to domain devices and made it available to BYOD users, you need to switch the Smoothwall to use the new CA. The steps are:
- Place your mouse cursor over the new CA in the certificates list and click Set default CA. A list of newly auto generated certificates appears below the new CA.
- To the right of the certificates, click Guardian HTTPS inspection and from the Certificate Authority list, select the new CA, click Save and then Clear and restart.
- To go back to the certificate section, click Create and manage certificates, and then again to the right of the certificates click User-facing HTTPS services.
- Under the Certificates section, from the User-facing HTTPS services list, select either the auto generated certificate or the custom one created in the optional step above.
- Click Save.
Now the Smoothwall and the services will use the new CA and user-facing HTTPS certificate and it should be valid for the next three years.