certificate issues

Question

hi all 
 i have UTM9, and there is a problem with the host name in the web certificate setting 
 we changed the host name and didnt re-generate the certificate so we are having error when we try to access the UTM web interface, saying "your connection is nit secure" 
 
 this is where we use the cert: 
 " 
 Used in these configurations: Email Protection &rarr; SMTP &rarr; Advanced Management &rarr; WebAdmin Settings &rarr; HTTPS Certificate 
 " 
 my question is: 
 1- if we re-generate by correcting the host name will this effect the production line? i mean is this gonna effect the network or anything live while applying the new setting? 
 2-is this going to fix the public access? like if i want to login to UTM from home will i still have the error message "This server could not prove that it is XXXX; its security certificate is from YYYY This may be caused by a misconfiguration or an attacker intercepting your connection." 
 3- will this fix the SMTP error too? 
 
 FYI the cert said its valid till 2037

best

DouglasFoster · Accepted Answer

I will try to summarize Public Key Infrastructure technology. 
 The first step in encryption is to verify that you are talking to the right server. You use a DNS name in your browser. The browser uses DNS to convert it to a number and connect to the server. The server responds with a certificate that says, "This is my name (or my list of names)" The browser checks that the DNS name you used matches a name in the returned certificate. 
 But anybody can lie, so you need both a certificate with the right name and a certificate issued by someone you trust. Technically, this means that the certificate needs to have a signature chain back to a certificate that you have installed as a trusted root. Normally, this means that you need a certificate issued by a commercial certificate authority, for which you pay a fee. 
 UTM creates its own root certificates, which it uses for HTTPS Inspection, SSL VPN, and other purposes. These root certificates are then used to sign other certificates. For client devices to trust these certificates, you must load the root certificate onto each client device. 
 Because user portal may be accessed from many devices, it is generally not feasible to preload a root certificate on each one, so a commercial CA certificate is preferred. 
 LetsEncrypt.org provides a way to get a certificate for free, using a fully automated process, but the certificate must be updated frequently.. I think others in this forum are using it successfully. 
 So in summary, you can always expect to get the certificate error until you buy and install a commercial certificate, or until you install the UTM root certificate on your home devices. 
 The hostname and the certificate name do not have to match, as long as you have configured the override hostname in the places where it is used. (user portal, web admin, smtp)

BAlfson · Answer

Thanks, Doug, that will be helpful to many people. 
 Leo, to change the hostname, use the trick listed in The Zeroeth Rule in Rulz . 
 Yes, this will change the underlying CA for all certificates. If you're doing 'Decrypt and scan' in Web Filtering you will need to redistribute the new HTTPS CA to all users. 
 Yes, this will cause you to have to distribute new SSL VPN Remote Access configurations because the UTM and the users will all have new certificates. If you do the rename as suggested, first change the SSL VPN Protocol to UDP. 
 Of course, you also can change the hostname separately for the VPN and for SMTP, but that's not a nice thing to do to the person that follows you. 
 Cheers - BOb

BAlfson · Answer

You can use either CA. I like to add the "MyUserName (User Netwrok)" object to 'Allowed Networks' so that I can get in via Remote Access. 
 Cheers - Bob