A Primer on Smoothwall Certificates
The Smoothwall Filter & Firewall runs a number of services which are secured by way of an SSL Server certificate, or else require the use of a Certificate Authority to function. An example of this may be accessing the Smoothwall Admin UI via HTTPS, or providing HTTPS filtering of web traffic.
By default, all certificates used by the Smoothwall to provide its own services use a self-signed Root Certificate Authority, which is first generated at the point of OS installation. Users can generate new Root Certificate Authorities, Intermediate Certificate Authorities or Certificates, and the default stack of Dynamically generated system certificates from the Smoothwall admin UI as required.
To stay compliant with regulations regarding self-signed certificates and authorities, and thus compatible with all major web browsers, the following limitations apply:
- Root Certificate Authorities generate with a validity period of 24 months.
- Dynamic Certificates generate with a validity period of 13 months.
- Intermediate Certificate Authorities and Server Certificates generate with a validity period of 24 months.
For a more in-depth explanation of Certificates, see this article.
Understanding Dynamic Certificates
When a Root Certificate Authority is set as the Default CA in the Smoothwall Admin UI, a number of dynamically generated certificates are minted from it, each with a specific use.
- Smoothwall HTTPS Interceptions Certificate Authority - allows HTTPS web traffic filtered and/or modified by the Guardian Web Filter to be trusted by the client web browser. Deployment of this certificate (by default) is required if HTTPS Inspection policies set to 'Decrypt and Inspect' are to be used.
- Smoothwall dynamic Admin UI Certificate - server certificate for accessing the Smoothwall Admin UI via HTTPS on port 441.
- Smoothwall dynamic User HTTPS Services Certificate - server certificate for accessing other HTTPS protected services on the Smoothwall, namely the SSL Login Page.
- Smoothwall dynamic User Identification Certificate - client certificate to permit access to the Global Proxy function, where client authorization via certificate is enabled.
- Smoothwall Auth Certificate Authority - used by the new AuthD5 authentication service. (Included in Maiden only)
Certificate Renewal Procedure.
Due to the limited validity period set on all Certificate Authorities and Certificates, renewal is eventually required. The procedure for carrying out the creation of new Certificate Authorities, Intermediate Certificates, and regenerating Dynamic certificates follows.
NOTE: before making any changes to your Smoothwall first create a full system backup (System > Maintenance > Archives) and create a system restore point (System > Maintenance > System Restore).
Renewal Procedure Checklist.
Renewing an Expired Root Certificate Authority with Dynamic Certificates:
- Back up your Smoothwall settings and create a restore point.
- Create the new Root Certificate Authority - Details Below.
- Optional: Create any Intermediate Certificate Authority or Server Certificates required.
- Export and deploy the new Root Certificate Authority or Intermediate Certificate Authority to devices - details below.
- Set the new Root Certificate Authority or Intermediate Certificate Authority as 'Default' - details below.
- Migrate any remaining services to the appropriate Dynamic certificate or Default Certificate Authority.
- Test HTTPS services from a client machine.
Renewing only expired Dynamic Certificates:
- Arrange a maintenance window.
- Back up your Smoothwall settings and create a restore point.
- Create a new 'junk' Certificate Authority and set it as default.
- Set the original Certificate Authority as Default.
- Test HTTPS services from a client machine.
Creating New Root Certificate Authorities
Due to the limited validity period of self-signed certificates and certificate authorities, system administrators will eventually need to create a new Root Certificate Authority and generate new dynamic certificates.
This can be accomplished with the following procedure:
- Log in to the Smoothwall Admin UI and navigate to System > Certificates > Certificates for Services.
- In the top-right of the UI select the New Root CA tool.
- In the configuration page, set:
- Name - a logical name for the new Certificate Authority, such as "Smoothwall CA 2023"
- Common Name - the hostname or FQDN of the Smoothwall, such as 'smoothwall.test.local', or where the Smoothwall has a short hostname and is part of multiple domains, simply 'smoothwall'. See below regarding Server Alternate Names.
- Organisation - Optionally, the organisation the Smoothwall belongs too.
- Advanced - Fill in any optional fields you like - they are not required for the Certificate Authority to function.
- Click Save Changes to create the new Certificate Authority
OPTIONAL: Intermediate Certificates and Server Alternate Names
Intermediate Certificates and Certificates Authorities are usually used where you want to deploy a certificate chain of trust without deploying the actual Root Certificate Authority itself, which in certain situations could compromise security.
From an existing or newly created Root Certificate Authority, you may mint an Intermediate Certificate Authority or Server Certificate. Doing so enables you to define Server Alternate Names, for when the Smoothwall may be registered in multiple DNS domains under different hostnames or FQDN's. Intermedia Certificate Authorities may be used to mint the Dynamic certificates, and they will inherit the Server Alternate Names in this case.
Intermediate Certificates and Certificate Authorities are tied to the validity of the Root Certificate Authority - if the Root Certificate Authority expires before the Intermediate Certificate/Certificate Authority, the chain of trust may be considered invalid by some browsers. Generally, it is best to create Intermediate objects at the same time as you create a new Root Certificate Authority.
NOTE: The vast majority of Smoothwall deployments will not need an Intermediate Certificate Authority or Cerver Certificate. If you are in any doubt, contact Support to discuss your needs.
To create an Intermediate Certificate or Certificate Authority:
- If required, create a Root Certificate Authority as per the instructions above.
- Mouse-over the newly listed Certificate Authority and click New Certificate.
- In the configuration menu, set:
- Authority - Creates an Intermediate Certificate Authority and as such can mint further certificates. Disable to make a standard Server Certificate.
- Name - a logical name for the new Certificate Authority, such as "Smoothwall CA 2023"
- Common Name - the hostname or FQDN of the Smoothwall, such as 'smoothwall.test.local', or where the Smoothwall has a short hostname and is part of multiple domains, simply 'smoothwall'. See below regarding Server Alternate Names.
- Organisation - Optionally, the organisation the Smoothwall belongs too.
- Advanced > Alternate names - Supply any Server Alternate Names the Smoothwall may be known by, including short hostnames, FQDNs and IP addresses.
- Advanced - Fill in any optional fields you like - they are not required for the Certificate Authority to function
- Click Save Changes
Setting a New 'Default' Root Certificate Authority
When the Smoothwall detects that the system certificate responsible for Guardian HTTPS Inspection services is about to expire, a warning will be issues in the Admin UI. Upon review, you may find that the Root Certificate Authority and Dynamic Certificates are soon to expire, in which case you will need to create an entirely new Root Certificate Authority as detailed above.
To migrate services to the new Root Certificate Authority you will need to set it (or any Intermediate Certificate Authority you may have made) as the 'Default Certificate Authority', which forces the creation of the Dynamic certificates and migrates services over.
In preparation for this, please ensure you have exported a copy of the Certificate Authority to be set as Default and deployed this to any domain devices and BYOD devices that require it, using the MDM solution of your choice where appropriate.
Having deployed the new Certificate Authority, and being ready to migrate to the new Certificate Authority, carry out the following:
- Mouse-over the Certificate Authority and click the teal Set Default CA button.
- Read the provided warning - if you need to do further work, you can back out by clicking Cancel. Otherwise, click Save. The Dynamic certificates will generate under the new Default Certificate Authority, and services attached will begin using those new certificates.
Migrating Services to Dynamic/Other Certificates
If any services (names on the right-hand column of the Certificate table under the 'Used By' heading) have been re-assigned to the original Root Certificate Authority, these services will not migrate over. Services which can be assigned to the Root Certificate Authority can be set manually as follows:
- Guardian HTTPS Interception Certificate - Guardian > HTTPS Inspection > Settings.
- Admin UI - System > Preferences > User Interface.
- User Facing HTTPS Services - System > Preferences > User interface.
It is generally advised to keep these services attached to their specific Dynamic certificate and deploy those Dynamic certificates as required, but for ease of administration these three services can be assigned to the Default Certificate Authority.
Renewing Only Dynamic Certificates
Due to the difference in validity period between Certificate Authorities and Dynamic Certificates, you may encounter a situation where the active Default Certificate Authority is still valid (say, one year into its validity period), however the Dynamic certificates are about to expire.
Dynamic certificates do not auto-renew, and at the time of writing, require a jump-start to prolong their life in-line with the current Certificate Authority.
To renew the Dynamic Certificates only:
- Arrange a maintenance window - this process takes only a minute to complete, but does technically change the certificate responsible for HTTPS Inspection and could cause some small disruption.
- Back up your Smoothwall and create a system restore point.
- Create a new Root Certificate Authority as per the instructions above and call it 'Junk CA' or something equally irrelevant.
- Set that new Junk Certificate Authority as the Default Certificate Authority. Accept the warning.
- Set the original Root Certificate Authority as the Default Certificate Authority again, thus regenerating the Dynamic certificates with another 13 months, or however long the Certificate Authority has left.
- Delete your Junk Certificate Authority.