Renew Certificate Authorities and Certificates

 

The On-Premise Appliance requires a Secure Sockets Layer (SSL) Certificate or Certificate Authority (CA) to run services. Without Certificates, you can’t access the On-Premise Appliance Admin UI using HTTPS or apply Web Filtering policies that use HTTPS inspection.

• By default, Certificates used by the Smoothwall Appliance use a self-signed Root CA, generated during the OS installation.
• You can create new Root CAs, Intermediate CAs or Certificates, and the default dynamically generated system certificates as needed.

 

Before you begin

Create a backup

Back up your Smoothwall settings.

Create a system restore point

1. Go to System > Maintenance > System Restore.
2. Select New restore point.
3. Name the restore point.
4. Select Save.

Find out what and when to renew

Set a reminder for the expiry date and renew the certificates before they expire to avoid service interruptions.

Both Root CA and Dynamic Certificates are in date

If both the Root CA and Dynamic Certificates are in date, you don’t need to take any action.

Image 1: Root CA and Dynamic Certificates are both in date.

 

Dynamic certificates have expired, but the Root CA is still in date

If the Dynamic certificates have expired, but the Root CA is still in date, follow the instructions in the Renew only Dynamic Certificates section.

Image 2: Example setup where the Dynamic certificates have expired, but the Root CA is still in date.

 

Image 3: Example setup after Dynamic Certificates are renewed to match the Root CA expiry date.

 

Root CA has expired

If the Root CA has expired, follow the instructions in the Renew Root CA with Dynamic Certificates section.

Image 4: Root CA and Dynamic Certificates are expiring today.

 

Image 5: Root CA and Dynamic Certificates have expired.

 

Renew only Dynamic Certificates

Due to different validity periods, your Dynamic Certificates may expire while the Default CA is still valid. To renew the Dynamic Certificates:

1. Organise a maintenance window outside of working hours to prevent disruption.
2. Create a new CA and name it 'Junk CA' or similar - this will only be used temporarily.
3. Set the new Junk CA as the Default CA.
4. Set the original Root CA as the Default CA again. This regenerates the Dynamic Certificates with the shorter of the two periods:
   
   • An additional 13 months of validity.
   • The remaining validity period of the CA.
5. Go to System > Certificates > Certificates for Services, hover over the Junk CA and select Delete.
6. Test HTTPS services.

Renew Root CA with Dynamic Certificates

Step 1: Create a New Root CA

Create a new CA.

You can use Intermediate Certificates and Certificates Authorities to deploy a certificate chain of trust without deploying the Root CA: Create any Intermediate CA or Server Certificates required.

Step 2: Export and deploy the new CA

1. Export the CA.
2. Deploy the certificate to any domain-joined and BYO devices that require it, using your preferred MDM solution.

Step 3: Set a New 'Default' Root CA

You must set your new CA (or any Intermediate CA you’ve created) as the 'Default CA' to create Dynamic certificates and migrate services.

Go to System > Certificates > Certificates for services and look in the Used by column. Ensure all your services are set to use the new CA rather than the old one.

(Optional) Step 4: Set up Intermediate certificates

If you use Intermediate Certificates, create any Intermediate CAs needed using the new Root CA.

Step 5: Test HTTPS services

Make sure HTTPS services work as expected after the Certificate change:

1. Use a test computer.
2. Open a browser.
3. Go to any HTTPS website, such as google.com or bbc.co.uk
   
   • If you have set up Certificates correctly, you should be able to access the website (unless a Web Filter Policy blocks it).
   • If you see a security error, review your configuration.

Image 6: A message saying the connection is not secure when there are issues with Certificate setup.