Certificate Management Whitepaper

Article #: Product: Version:
KB-28 All Edinburgh onwards

What’s changed in managing certificates?

In our Edinburgh major release, Smoothwall introduces a new method of managing certificates.

About the Certificate Management Page

The main change to certificate management in Edinburgh comes in the form of a new management interface which allows you to see and fully manage the Smoothwall certificates, see where they are used, and identify which ones are Certificate Authorities (so can be used to create other certificates). You can also create, delete, import and export certificates.

Which certificates are managed by the new Certificate Management?

Edinburgh is the first iteration of the new method of managing certificates, and so initially only some key services have been integrated, with others to follow in future releases.

Certificates belonging to the following services are included:

  • HTTPS Services
    • HTTPS pages hosted on the Smoothwall, with the exception of the Admin User Interface
    • Includes: Portal, Connect for Chromebooks, SSL Login, Guardian unblock / bypass and block page
  • MTIM
    • Man In the Middle - used for decrypting and inspecting HTTPS traffic through the Smoothwall
  • Global Proxy
    • The certificate used by clients to authenticate them to the Smoothwall in order to remotely proxy through it

Default Certificate Authority Certificate

As well as introducing a new management interface, Smoothwall have implemented a new concept that aids customers in distributing certificates, potentially even avoiding the need to do it at all.

Previously the Smoothwall certificates were treated separately - each area had disparately managed certificates for different purposes; this caused difficulty establishing a single continuous chain of trust and distributing certificates. Separate certificates cause several hurdles; as a client, trusting one doesn’t mean they’d trust another from the same Smoothwall. Different certificates also meant customers had to export and distribute many certificates, which may have different expiry dates.

Edinburgh introduces the concept of a “default” Certificate Authority (CA). A CA is a certificate generated by the Smoothwall that can be used to generate other certificates needed for services to be trusted by clients. The service certificates that we create are called “dynamic” certificates, because they are created and updated dynamically.

In the Certificate Management interface, the default certificate can be identified by a label, as can the dynamic certificates.

Post install, there are 3 ways to ensure clients trust the Smoothwall’s certificates:

  1. The “default” CA can be exported and installed on all client machines; doing so will ensure that the clients trust any of the certificates generated using the default CA.
  2. Instead of using the automatically created CA, it can be replaced by a CA imported by the System Administrator, using Central Management system’s “import” functionality. Selecting a different CA to use as the “default” automatically regenerates all of the dynamic certificates for the services. As well as importing that CA into the Smoothwall (to be set as the default), it can be exported to all clients to ensure they trust any certificates created using it (including the dynamic certificates).
  3. Option 3 is a variation on option 2 - creating a certificate away from the Smoothwall and then importing it into the Smoothwall. This certificate can be from your Active Directory (AD). If it is from AD, there is no need to distribute the certificate to all clients as any domain joined client will trust the AD, and so in turn trust any certificates and certificate authorities it creates.

The default Certificate Authority allows Smoothwall Administrators to only export one certificate to clients - or better yet none, then let the Smoothwall take care of the certificates, greatly simplifying Certificate Management.

With a default certificate authority set, changing the system hostname automatically regenerates the dynamic certificates used by the services. As long as the clients trust the default CA, they will continue to trust the new dynamic certificates. Because these certificates will be regenerated as required, it’s not advised that they be exported and used directly. If the certificates regenerate and the CA hasn’t been trusted, the new certificate may not be trusted either.

How does this work when I upgrade to Edinburgh

The upgrade to Edinburgh does NOT change which certificates are in use. All existing certificates will be migrated and still be used, with no need for any action to be taken.

For services whose certificates are managed by the new system, their certificates are imported into the new certificate management page, but will still be selected for use by the services.

Alongside these migrated certificates, you will find that a new default CA has been created, along with dynamic certificates. These are to allow customers to choose to move to the new structure, but these will not automatically replace the existing selected certificates as this may prevent clients from trusting the Smoothwall. See the following section for guidance on moving to using the new certificates.

Using the new certificate hierarchy post-Edinburgh

Using the new certificate structure post-upgrade is incredibly easy.

The best way to use it is to begin by creating a CA on your Active Directory (AD). This can then be imported into the Smoothwalland set as the default CA. This will cause the Smoothwall to use this CA to generate (regenerate) all dynamic certificates. These dynamic certificates (when used by services) will automatically be trusted by clients that trust your AD. The final step is to select the dynamic certificates for use by each of the services. This can be done from the relevant service configuration page.

If you choose not to use a CA from your AD, you can either use the automatically created CA or import a CA of your own from another source. Either will result in the Smoothwall using it to create dynamic certificates which can then be selected for use by the relevant services. Unlike CAs created with an AD, there is another step; the default CA must be exported and distributed (installed) on all clients that need to trust the Smoothwall.

Release date

The Edinburgh release including certificate management features is due out for release in early 2016.


Last updated: Author: Contributions by:
29th April 2017 DMT SN