Renew when the Guardian CA certificate has expired

Sign in to the Smoothwall On-Premise Appliance Admin UI and check your dashboard for a banner referencing certificates.

• If no banner appears, or if you see a banner that says ‘Warning: The Guardian CA certificate will expire in X days.’, see Renew when the Guardian CA certificate will expire soon.
• If you see a banner that says ‘Warning: The Guardian CA certificate has expired.’, your certificates have expired. 

When your certificates expire:

• Users can’t connect to the internet.
• You can’t apply Web Filtering policies that use HTTPS inspection.
• You can’t access the On-Premise Appliance Admin UI using HTTPS.

 Renew your certificates and install the new certificates on devices immediately. 

If you’re unsure about any of the steps, contact Smoothwall Support for guidance through the process.

Image 1: Banner when the certificate has expired.

Renew only Dynamic Certificates

Follow these instructions if only the Dynamic certificates have expired, but the Root CA is still valid. The Certificate column shows:

• ‘Expires’ with a future date for the Root CA expiry.
• ‘Expired’ with a date today or in the past for the Dynamic certificates.

Image 1: Example setup where the Dynamic certificates have expired, but the Root CA is still valid.

To renew the Dynamic Certificates:

1. Back up your settings.
2. Create a new CA and name it 'Junk CA' or similar - you’ll only use this temporarily.
3. Set the new Junk CA as the Default CA.
4. Set the original Root CA as the Default CA again. This action regenerates the Dynamic Certificates with the shorter of the two periods:
   • An additional 13 months of validity.
   • The remaining validity period of the CA.
5. Go to System > Certificates > Certificates for Services, hover over the Junk CA and select Delete.
6. Test HTTPS services.

Image 2: Example setup after renewing Dynamic Certificates to match the Root CA expiry date.

Renew Root CA with Dynamic Certificates

Follow these instructions if the Root CA has already expired. The Root CA shows Not present in the Certificate and Key columns, and the Dynamic certificates show as Expired.

Image 3: Root CA and Dynamic Certificates have expired.

Step 1: Back up your settings

• Back up your Smoothwall settings.
• Create a system restore point:
  1. Go to System > Maintenance > System Restore.
  2. Select New restore point.
  3. Name the restore point.
  4. Select Save.

Step 2: Create a New Root CA

• Create a new CA.
• If needed, create Intermediate Certificates and Certificate Authorities to deploy a certificate chain of trust without deploying the Root CA.

Step 3: Export and deploy the new CA

1. Export the CA.
2. Deploy the CA on every device in one of the following ways:
   • Automatically (recommended): For domain-joined and BYO devices, use your preferred MDM solution for example, the Google Admin Console, or an Active Directory Group Policy. This option lets you prepare devices before you swap the Default Root CA.
   • Manually: Complete Step 4, then install the new Root CA using the getcert page.

Step 4: Set a New 'Default' Root CA

Set your new CA (or any Intermediate CA you’ve created) as the 'Default CA' to create Dynamic certificates and migrate services. See Set a new Default Certificate Authority.

(Optional) Step 5: Set up Intermediate certificates

If you use Intermediate Certificates, create any Intermediate CAs needed using the new Root CA.

Step 6: Test HTTPS services

Make sure HTTPS services work as expected after the Certificate change:

1. Use a test computer.
2. Open a browser.
3. Go to any HTTPS website, such as google.com or bbc.co.uk
   • If you have set up Certificates correctly, you can access the website (unless a Web Filter Policy blocks it).
   • If you see a security error like the one below, review your configuration.

Image 4: Example “connection not secure” message indicating Certificate setup issues.