# Self-managed SSL Certificates

While smoxy automatically generates and renews SSL certificates via Let's Encrypt, you may need to use your own certificates in certain scenarios. This guide covers everything about uploading and managing self-managed SSL certificates.

***

### When to Use Self-managed Certificates

Self-managed certificates are useful when you:

* Need an **Extended Validation (EV)** certificate for compliance or trust indicators
* Have certificates issued by a specific Certificate Authority required by your organization
* Need certificates with specific attributes not provided by Let's Encrypt
* Operate in environments where Let's Encrypt is not permitted

***

### Requirements

Your certificate must meet the following requirements:

| Requirement         | Details                                                                             |
| ------------------- | ----------------------------------------------------------------------------------- |
| **Format**          | PEM-encoded (Base64 ASCII, starts with `-----BEGIN CERTIFICATE-----`)               |
| **Private Key**     | PEM-encoded RSA or ECDSA key, must match the certificate                            |
| **Validity**        | Certificate must not be expired                                                     |
| **Domain Coverage** | Certificate must include at least one SAN matching your domain                      |
| **Chain**           | Include intermediate certificates in the certificate file for full chain validation |

#### Certificate File Format

Your certificate file should contain the full chain in this order:

```
-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate — optional, usually not needed)
-----END CERTIFICATE-----
```

#### Private Key Format

```
-----BEGIN PRIVATE KEY-----
(Your private key)
-----END PRIVATE KEY-----
```

or RSA format:

```
-----BEGIN RSA PRIVATE KEY-----
(Your RSA private key)
-----END RSA PRIVATE KEY-----
```

***

### Uploading a Self-managed Certificate

1. Go to **Domains & DNS** in the smoxy sidebar
2. Click on the domain you want to configure
3. Navigate to the **SSL** tab
4. Click **Upload SSL Certificate**
5. Paste or upload your **certificate** (including intermediate chain)
6. Paste or upload your **private key**
7. Click **Save**

#### What smoxy validates

When you upload, smoxy checks:

1. **Certificate validity** — Is the certificate parseable and in PEM format?
2. **Key match** — Does the private key match the certificate?
3. **Expiration** — Is the certificate still valid?
4. **SAN comparison** — If replacing an existing certificate, smoxy compares the Subject Alternative Names

#### SAN Mismatch Warning

If the SANs in your new certificate differ from the current certificate, smoxy will display:

* Which domains are **added** in the new certificate
* Which domains are **removed** compared to the current certificate

You must confirm the upload if SANs differ. This prevents accidental removal of domain coverage.

***

### Renewal Responsibilities

**smoxy does not auto-renew self-managed certificates.** You are fully responsible for:

1. Monitoring certificate expiration
2. Obtaining a renewed certificate from your CA
3. Uploading the new certificate before the old one expires

smoxy displays the certificate's expiration date on the SSL tab to help you plan renewals.

{% hint style="info" %}
**Tip:** Consider switching to smoxy's auto-generated certificates if certificate management overhead becomes a burden. You can switch at any time.
{% endhint %}

***

### Switching Between Certificate Types

#### From Self-managed to Auto-managed

You can switch from a self-managed certificate to an auto-managed Let's Encrypt certificate:

1. Ensure your `_acme-challenge` CNAME records are properly configured
2. Navigate to the SSL tab
3. Select the option to generate a new certificate

smoxy will start the generation process. Your self-managed certificate remains active until the new certificate is ready.

#### From Auto-managed to Self-managed

1. Upload your certificate as described above
2. The auto-managed certificate is archived
3. Automatic renewal is disabled for this domain

{% hint style="info" %}
**Note:** The previous certificate is always archived, not deleted. This provides an audit trail of certificate changes.
{% endhint %}

***

### Common Errors

| Error                                        | Cause                                             | Solution                                                     |
| -------------------------------------------- | ------------------------------------------------- | ------------------------------------------------------------ |
| **Invalid CRT file**                         | Certificate cannot be parsed                      | Ensure the file is in PEM format and includes the full chain |
| **CRT and KEY file do not match**            | Private key doesn't correspond to the certificate | Verify you're using the correct key for this certificate     |
| **The CRT file has expired**                 | Certificate's validity period has ended           | Obtain a new certificate from your CA                        |
| **Certificate does not contain this domain** | None of the SANs match your domain                | Ensure the certificate covers your domain or its wildcard    |