This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
The On-Premise Appliance requires a Secure Sockets Layer (SSL) Certificate or Certificate Authority (CA) to run services. Without Certificates, you can’t access the On-Premise Appliance Admin UI using HTTPS or apply Web Filtering policies that use HTTPS inspection.
- By default, Certificates used by the Smoothwall Appliance use a self-signed Root CA, generated during the OS installation.
- You can create new Root CAs, Intermediate CAs or Certificates, and the default dynamically generated system certificates as needed.
Important
Read Understanding the Smoothwall Filter and Firewall Certificates before you make any changes.
Before you begin
Create a backup
Back up your Smoothwall settings.
Create a system restore point
- Go to System > Maintenance > System Restore.
- Select New restore point.
- Name the restore point.
- Select Save.
Find out what and when to renew
To comply with regulations and work with all major web browsers, the following validity periods apply:
- Root CAs are valid for 24 months.
- Dynamic Certificates are valid for 13 months.
Set a reminder for the expiry date and renew the certificates before they expire to avoid service interruptions.
Both Root CA and Dynamic Certificates are in date
If both the Root CA and Dynamic Certificates are in date, you don’t need to take any action.
Image 1: Root CA and Dynamic Certificates are both in date.
Dynamic certificates have expired, but the Root CA is still in date
If the Dynamic certificates have expired, but the Root CA is still in date, follow the instructions in the Renew only Dynamic Certificates section.
Image 2: Example setup where the Dynamic certificates have expired, but the Root CA is still in date.
Image 3: Example setup after Dynamic Certificates are renewed to match the Root CA expiry date.
Root CA has expired
If the Root CA has expired, follow the instructions in the Renew Root CA with Dynamic Certificates section.
Image 4: Root CA and Dynamic Certificates are expiring today.
Image 5: Root CA and Dynamic Certificates have expired.
Renew only Dynamic Certificates
Due to different validity periods, your Dynamic Certificates may expire while the Default CA is still valid. To renew the Dynamic Certificates:
- Organise a maintenance window outside of working hours to prevent disruption.
- Create a new Root CA and name it 'Junk CA' or similar - this will only be used temporarily.
- Set the new Junk CA as the Default CA.
- Set the original Root CA as the Default CA again. This regenerates the Dynamic Certificates with the shorter of the two periods:
- An additional 13 months of validity.
- The remaining validity period of the CA.
- Go to System > Certificates > Certificates for Services, hover over the Junk CA and select Delete.
- Test HTTPS services.
Renew Root CA with Dynamic Certificates
When the On-Premise Appliance detects the system certificate responsible for HTTPS Inspection services will expire within 30 days, a warning message shows on every page that says: Warning: The Guardian CA certificate will expire in X days.
Select the button in the warning to go to System > Certificates > Certificates for Services where you can manage your certificates.
Important
The warning message will remain until the morning after you apply the new CA.
Step 1: Create a New Root CA
- Go to System > Certificates > Certificates for Services.
- Select New Root CA.
- Enter a logical name for the new CA, such as ‘Smoothwall CA 2024’.
- For Common Name, enter either:
- the hostname or FQDN of the Smoothwall Appliance, such as 'smoothwall.test.local'
- If the Smoothwall Appliance has a short hostname and is part of multiple domains, enter 'smoothwall'. See Server Alternate Names.
- Optionally, enter the Organisation the Smoothwall Appliance belongs too.
- Select Advanced to add optional details including Email address, Department, Locality or town, State or province and Country.
- Select Save Changes.
You can use Intermediate Certificates and Certificates Authorities to deploy a certificate chain of trust without deploying the actual Root CA: Create any Intermediate CA or Server Certificates required.
Step 2: Export and deploy the new CA
- Go to System > Certificates > Certificates for Services.
- Hover over the Root CA that has the Default flag.
- Select Export.
- Select the format to export based on your MDM solution’s requirements. Select either:
- Certificate
- Certificate (binary format)
- Certificate and chain
- Certificate and keys
Tip
Select the ? icon for details of each type.
- Add a password.
- Select Export.
- The certificate will download to your computer.
- Deploy the certificate to any domain devices and BYOD devices that require it, using your preferred MDM solution.
Step 3: Set a New 'Default' Root CA
You must set your new CA (or any Intermediate CA you’ve created) as the 'Default CA' to create Dynamic certificates and migrate services.
- Go to System > Certificates > Certificates for Services.
- Hover over the new CA.
- Select Set Default CA.
- Read the warning - if you need to do further work, select Cancel to back out.
- Select Save.
- The new Default CA now generates the Dynamic certificates. Services attached now use those new certificates.
Step 4: Migrate Services to Dynamic/Other Certificates
Go to System > Certificates > Certificates for Services and look in the Used by column. If you have reassigned any services to the original Root CA, these services will not migrate over.
To assign the services to the new Root CA, select the item in the Used by column. This will take you to either:
- Guardian HTTPS inspection (Guardian > HTTPS Inspection > Settings): Ensure the Certificate Authority is set to your new CA.
- User Facing HTTPS Services or Admin UI (System > Preferences > User interface): Ensure the User-facing HTTPS services field or the Admin UI field is set to your new CA.
Step 5: Set up Intermediate certificates (optional)
If you use Intermediate Certificates, create any Intermediate CAs needed using the new Root CA.
Step 6: Test HTTPS services
Make sure HTTPS services work as expected after the Certificate change:
- Use a test computer.
- Open a browser.
- Go to any HTTPS website, such as google.com or bbc.co.uk
- If you have set up Certificates correctly, you should be able to access the website (unless a Web Filter Policy blocks it).
- If you see a security error, review your configuration.
Image 6: A message saying the connection is not secure when there are issues with Certificate setup.