Self-managed SSL Certificates
While smoxy automatically generates and renews SSL certificates via Let's Encrypt, you may need to use your own certificates in certain scenarios. This guide covers everything about uploading and managing self-managed SSL certificates.
When to Use Self-managed Certificates
Self-managed certificates are useful when you:
Need an Extended Validation (EV) certificate for compliance or trust indicators
Have certificates issued by a specific Certificate Authority required by your organization
Need certificates with specific attributes not provided by Let's Encrypt
Operate in environments where Let's Encrypt is not permitted
Requirements
Your certificate must meet the following requirements:
Format
PEM-encoded (Base64 ASCII, starts with -----BEGIN CERTIFICATE-----)
Private Key
PEM-encoded RSA or ECDSA key, must match the certificate
Validity
Certificate must not be expired
Domain Coverage
Certificate must include at least one SAN matching your domain
Chain
Include intermediate certificates in the certificate file for full chain validation
Certificate File Format
Your certificate file should contain the full chain in this order:
Private Key Format
or RSA format:
Uploading a Self-managed Certificate
Go to Domains & DNS in the smoxy sidebar
Click on the domain you want to configure
Navigate to the SSL tab
Click Upload SSL Certificate
Paste or upload your certificate (including intermediate chain)
Paste or upload your private key
Click Save
What smoxy validates
When you upload, smoxy checks:
Certificate validity — Is the certificate parseable and in PEM format?
Key match — Does the private key match the certificate?
Expiration — Is the certificate still valid?
SAN comparison — If replacing an existing certificate, smoxy compares the Subject Alternative Names
SAN Mismatch Warning
If the SANs in your new certificate differ from the current certificate, smoxy will display:
Which domains are added in the new certificate
Which domains are removed compared to the current certificate
You must confirm the upload if SANs differ. This prevents accidental removal of domain coverage.
Renewal Responsibilities
smoxy does not auto-renew self-managed certificates. You are fully responsible for:
Monitoring certificate expiration
Obtaining a renewed certificate from your CA
Uploading the new certificate before the old one expires
smoxy displays the certificate's expiration date on the SSL tab to help you plan renewals.
Tip: Consider switching to smoxy's auto-generated certificates if certificate management overhead becomes a burden. You can switch at any time.
Switching Between Certificate Types
From Self-managed to Auto-managed
You can switch from a self-managed certificate to an auto-managed Let's Encrypt certificate:
Ensure your
_acme-challengeCNAME records are properly configuredNavigate to the SSL tab
Select the option to generate a new certificate
smoxy will start the generation process. Your self-managed certificate remains active until the new certificate is ready.
From Auto-managed to Self-managed
Upload your certificate as described above
The auto-managed certificate is archived
Automatic renewal is disabled for this domain
Note: The previous certificate is always archived, not deleted. This provides an audit trail of certificate changes.
Common Errors
Invalid CRT file
Certificate cannot be parsed
Ensure the file is in PEM format and includes the full chain
CRT and KEY file do not match
Private key doesn't correspond to the certificate
Verify you're using the correct key for this certificate
The CRT file has expired
Certificate's validity period has ended
Obtain a new certificate from your CA
Certificate does not contain this domain
None of the SANs match your domain
Ensure the certificate covers your domain or its wildcard
Last updated
Was this helpful?