About certificates for services
Each network device is given a "certificate" to prove its identity and, in some cases, allow it to issue other certificates.
Certificates contain two parts:
- A Public key that can be safely and securely shared.
- A Private key held only by the device to identify it according to the public key.
Certificates that can issue other certificates are known as Certificate Authorities. Certificate Authorities can create and sign for other certificates using their own private keys to verify that the signed certificate is trusted. You manage those certificates used by the Smoothwall to sign for services, such as, HTTPS inspection policies, here. An italic certificate Name indicates a missing root certificate.
The Certificate column indicates when that certificate or Certificate Authority (CA) expires. Those that expire within the next six months have amber text. Certificates expiring within one month are colored red . Those in bold text have expired.
Certificate Authorities, that is, those that can sign for other certificates are indicated with an icon in the Key column. This column also indicates the algorithm used to encrypt the certificate, and the key size.
The Used by column indicates the Smoothwall services where the certificate is used:
- Client Device Identification, see our help topic, Identifying global proxy clients and devices.
- The Smoothwall Filter HTTPS inspection, see our help topic, Managing HTTPS inspection settings.
- User-facing HTTPS services, see our help topic, Customizing the administration user interface.
Note: Certificates for VPN services are still managed from the Certificate authorities page, see our help topic, Importing and creating certificate authorities and their certificates.
You can add new individual certificates to a root CA. New certificates are valid for three years from the date of creation automatically. The key, also known as the fingerprint, is automatically generated using European ECRYPT2-2010 recommendations. It's suitable for long term protection and is expected to be secure until the year 2040.
Dynamic certificates are created by the Smoothwall automatically for its services. They're regenerated (such as on host name change) so we don't recommend that you export these for use with client devices. As these are signed by the default Certificate Authority, you should export that as the top of the trust chain.
Importing new certificates
You can import multiple certificates and keys, no matter their format or how many files they're presented in. Valid formats are:
- DER X.509 certificates (.cer, .der, .crt)
- Base64 (PEM) X.509 certificates (.pem, .b64, .cer, .crt)
- DER PKCS#7 certificates (.p7, .p7b, .p7c)
- Base64 (PEM) PKCS#7 certificates (.p7, .p7b, .p7c)
- DER PKCS#8 certificates (.p8)
- DER PKCS#12 certificates and private keys (.p12, .pfx)
- DER private keys (.key)
- Base64 (PEM) private keys (.key)
The Smoothwall analyzes the files for valid certificates and keys. If found, the certificates and keys are displayed under the Discovered Keys and Certificates section for each file imported. You're also advised if there's nothing to import from any of the chosen files. SSL certificates and keys can be "wrapped" in containers that need passwords to open them. If such a container is uploaded, you're prompted to enter the password to decrypt that file.
Default certificate authority
Typically, the Smoothwall creates a default CA that can be used by client devices. If you're using Active Directory, or have your own trusted Certificate Authority, you can import this and set it as the default CA. Devices that trust this CA automatically trust any Smoothwall services assigned to Dynamic certificates in the trust chain.