Certificate Authorities (CA) on a Smoothwall have a lifetime of 2 years, and the Dynamic Certificates, including the HTTPS Interception Certificate, hold a life of 1 year as per the current standards regarding self-signed certificates.
Here are the best practices for generating a new CA and a checklist to follow:
- Create a new CA.
- Export and push the new CA to domain devices.
- Optional: Replace the CA on any external resources made available for BYOD devices.
- Optional: Send your users an email with the new CA attached for them to import on their own devices.
- Optional: Create a new certificate for the user-facing HTTPS services. A certificate will be created automatically following this process, but you can modify a custom one with IP addresses and host names to better match the host names and IP addresses on the Smoothwall.
- Set the new CA to be the default CA as well as the CA used for HTTPS inspection and change the user facing HTTPS services certificate to the new one.
Procedure
- To create a new CA, in the Smoothwall, on the SYSTEM menu, under the Certificates submenu, click Certificates for services.
- To create a completely new CA click New root CA button at the top-right of the page. When creating a CA, we recommend that you add proper ownership information to the CA. While it's not mandatory information, it's helpful for both administrators and users to identify the source of the CA and the certificates created.
- Enter a descriptive Name and copy it for the Common Name.
- Click Advanced» to expand the advanced section and fill in the rest of the values.
- Click Save changes and check the new CA in the certificate list.
Preparing the switch-over
Before you can set the new CA as the default and the one used for HTTPS inspection, you need to push the CA to the domain devices and make it available to BYOD users. Replace the CA on any web page link that you might have created on your own homepage. Don't worry about the HTTPS CA download page on the Smoothwall because that happens automatically once you have set the new CA to be the HTTPS inspection CA.
Optional: send out an email with the new CA attached, as well as installation instructions.
Optional: you can create a custom certificate and use it for the user facing HTTPS services on the Smoothwall. A Dynamic certificate gets created when we set the new CA to be the default CA, but you can mint from the Root CA a custom certificate that contains any Server Alternate Names used to access the Smoothwall, to avoid any identity errors on browsers. To do this, go through the following steps:
- Place your mouse cursor over the new Root CA in the certificates list and click New certificate.
- For the Authority option, clear the "Allow this certificate to sign others" selection.
- Enter a descriptive Name.
- Enter the Smoothwall's host name for the Common name.
- Click Advanced» to expand the advanced section and for the Alternate Names, enter all the combinations of the host names and IP addresses that the Smoothwall can be accessed by. Place each new value on a new line. These are the identities that are added to the certificate, so that if users access the Smoothwall by IP or host name, they won't get a mismatch between the identity value in the certificate and the address used by the user.
The values should list like this example:
lan.ip.of.smoothwall
external.ip.of.smoothwall
byod.ip.of.smoothwall
anyother.ip.of.smoothwall
hostname
hostname.of.smoothwall
external.hostname.smoothwall - Enter any other optional information for the advanced section and click Save changes.
Switching over
When you have pushed out the new CA to domain devices and made it available to BYOD users, you need to switch the Smoothwall to use the new CA. The steps are:
- Place your mouse cursor over the new CA in the certificates list and click Set default CA. A list of newly auto generated certificates appears below the new CA.
- To the right of the certificates, click Guardian HTTPS inspection and from the Certificate Authority list, select the new CA, click Save and then Clear and restart.
- To go back to the certificate section, click Create and manage certificates, and then again to the right of the certificates click User-facing HTTPS services.
- Under the Certificates section, from the User-facing HTTPS services list, select either the auto generated certificate or the custom one created in the optional step above.
- Click Save.
Now the Smoothwall and the services will use the new CA and user-facing HTTPS certificate and it should be valid for the next three years.