smoxy

English

Deutsch

English

Deutsch

Appearance

Self-managed SSL Certificates

While smoxy automatically generates and renews SSL certificates via Let's Encrypt, you may need to use your own certificates in certain scenarios. This guide covers everything about uploading and managing self-managed SSL certificates.

When to Use Self-managed Certificates

Self-managed certificates are useful when you:

  • Need an Extended Validation (EV) certificate for compliance or trust indicators
  • Have certificates issued by a specific Certificate Authority required by your organization
  • Need certificates with specific attributes not provided by Let's Encrypt
  • Operate in environments where Let's Encrypt is not permitted

Requirements

Your certificate must meet the following requirements:

RequirementDetails
FormatPEM-encoded (Base64 ASCII, starts with -----BEGIN CERTIFICATE-----)
Private KeyPEM-encoded RSA or ECDSA key, must match the certificate
ValidityCertificate must not be expired
Domain CoverageCertificate must include at least one SAN matching your domain
ChainInclude intermediate certificates in the certificate file for full chain validation

Certificate File Format

Your certificate file should contain the full chain in this order:

-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate — optional, usually not needed)
-----END CERTIFICATE-----

Private Key Format 

-----BEGIN PRIVATE KEY-----
(Your private key)
-----END PRIVATE KEY-----

or RSA format:

-----BEGIN RSA PRIVATE KEY-----
(Your RSA private key)
-----END RSA PRIVATE KEY-----

Uploading a Self-managed Certificate

  1. Go to Domains & DNS in the smoxy sidebar
  2. Click on the domain you want to configure
  3. Navigate to the SSL tab
  4. Click Upload SSL Certificate
  5. Paste or upload your certificate (including intermediate chain)
  6. Paste or upload your private key
  7. Click Save

What smoxy validates

When you upload, smoxy checks:

  1. Certificate validity — Is the certificate parseable and in PEM format?
  2. Key match — Does the private key match the certificate?
  3. Expiration — Is the certificate still valid?
  4. SAN comparison — If replacing an existing certificate, smoxy compares the Subject Alternative Names

SAN Mismatch Warning

If the SANs in your new certificate differ from the current certificate, smoxy will display:

  • Which domains are added in the new certificate
  • Which domains are removed compared to the current certificate

You must confirm the upload if SANs differ. This prevents accidental removal of domain coverage.

Renewal Responsibilities

smoxy does not auto-renew self-managed certificates. You are fully responsible for:

  1. Monitoring certificate expiration
  2. Obtaining a renewed certificate from your CA
  3. Uploading the new certificate before the old one expires

smoxy displays the certificate's expiration date on the SSL tab to help you plan renewals.

INFO

Tip: Consider switching to smoxy's auto-generated certificates if certificate management overhead becomes a burden. You can switch at any time.

Switching Between Certificate Types

From Self-managed to Auto-managed

You can switch from a self-managed certificate to an auto-managed Let's Encrypt certificate:

  1. Ensure your _acme-challenge CNAME records are properly configured
  2. Navigate to the SSL tab
  3. Select the option to generate a new certificate

smoxy will start the generation process. Your self-managed certificate remains active until the new certificate is ready.

From Auto-managed to Self-managed

  1. Upload your certificate as described above
  2. The auto-managed certificate is archived
  3. Automatic renewal is disabled for this domain

INFO

Note: The previous certificate is always archived, not deleted. This provides an audit trail of certificate changes.

Common Errors

ErrorCauseSolution
Invalid CRT fileCertificate cannot be parsedEnsure the file is in PEM format and includes the full chain
CRT and KEY file do not matchPrivate key doesn't correspond to the certificateVerify you're using the correct key for this certificate
The CRT file has expiredCertificate's validity period has endedObtain a new certificate from your CA
Certificate does not contain this domainNone of the SANs match your domainEnsure the certificate covers your domain or its wildcard