Skip to content

Self-managed SSL Certificates

While smoxy automatically generates and renews SSL certificates via Let's Encrypt, you may need to use your own certificates in certain scenarios. This guide covers everything about uploading and managing self-managed SSL certificates.

Upload and manage self-managed SSL certificates.Upload and manage self-managed SSL certificates.
Upload and manage self-managed SSL certificates.

When to Use Self-managed Certificates

Self-managed certificates are useful when you:

  • Need an Extended Validation (EV) certificate for compliance or trust indicators
  • Have certificates issued by a specific Certificate Authority required by your organization
  • Need certificates with specific attributes not provided by Let's Encrypt
  • Operate in environments where Let's Encrypt is not permitted

Requirements

Your certificate must meet the following requirements:

RequirementDetails
FormatPEM-encoded (Base64 ASCII, starts with -----BEGIN CERTIFICATE-----)
Private KeyPEM-encoded RSA or ECDSA key, must match the certificate
ValidityCertificate must not be expired
Domain CoverageCertificate must include at least one SAN matching your domain
ChainProvide intermediate certificates for full chain validation - paste them into the dialog's separate Chain PEM (optional) field

Certificate File Format

Put your server certificate in the Certificate PEM field and any intermediate certificates in the separate Chain PEM (optional) field. Each is PEM-encoded - one or more blocks like this:

-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate - put this in the Chain PEM field)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate - optional, usually not needed)
-----END CERTIFICATE-----

Private Key Format

-----BEGIN PRIVATE KEY-----
(Your private key)
-----END PRIVATE KEY-----

or RSA format:

-----BEGIN RSA PRIVATE KEY-----
(Your RSA private key)
-----END RSA PRIVATE KEY-----

Uploading a Self-managed Certificate

  1. Open SSL Certificates in the smoxy sidebar
  2. Click New Certificate to open the New SSL Certificate dialog
  3. Set Type to Custom
  4. Paste or upload your Certificate PEM (your server certificate)
  5. Paste or upload your Private Key PEM (the matching private key)
  6. Optionally add any intermediate certificates in the separate Chain PEM (optional) field
  7. Click Create Certificate
The New SSL Certificate dialog with the type set to Custom: paste or upload the certificate, private key and chain.The New SSL Certificate dialog with the type set to Custom: paste or upload the certificate, private key and chain.
The New SSL Certificate dialog with the type set to Custom: paste or upload the certificate, private key and chain.

What smoxy validates

When you upload, smoxy checks:

  1. Certificate validity - Is the certificate parseable and in PEM format?
  2. Key match - Does the private key match the certificate?
  3. Expiration - Is the certificate still valid?
  4. Chain validity - If provided, is the intermediate chain valid PEM?
  5. SAN comparison - If replacing an existing certificate, smoxy compares the Subject Alternative Names

SAN Mismatch Warning

If the SANs in your new certificate differ from the current certificate, smoxy will display:

  • Which domains are added in the new certificate
  • Which domains are removed compared to the current certificate

You must confirm the upload if SANs differ. This prevents accidental removal of domain coverage.


Renewal Responsibilities

smoxy does not auto-renew self-managed certificates. You are fully responsible for:

  1. Monitoring certificate expiration
  2. Obtaining a renewed certificate from your CA
  3. Uploading the new certificate before the old one expires

smoxy displays the certificate's expiration date on its detail page to help you plan renewals.

The certificate detail panel: domain, type, status, issuer, fingerprint and expiration date.The certificate detail panel: domain, type, status, issuer, fingerprint and expiration date.
The certificate detail panel: domain, type, status, issuer, fingerprint and expiration date.

INFO

Tip: Consider switching to smoxy's auto-generated certificates if certificate management overhead becomes a burden. You can switch at any time.


Switching Between Certificate Types

From Self-managed to Auto-managed

You can switch from a self-managed certificate to an auto-managed Let's Encrypt certificate:

  1. Ensure your _acme-challenge CNAME records are properly configured
  2. Open the certificate on the SSL Certificates page
  3. Choose Switch to Auto-Managed

smoxy will start the generation process. Your self-managed certificate remains active until the new certificate is ready.

From Auto-managed to Self-managed

  1. Upload your certificate as described above
  2. The auto-managed certificate is archived
  3. Automatic renewal is disabled for this domain

INFO

Note: The previous certificate is always archived, not deleted. This provides an audit trail of certificate changes.


Common Errors

ErrorCauseSolution
Invalid CRT fileCertificate cannot be parsedEnsure the certificate is PEM-encoded
CRT and KEY file do not matchPrivate key doesn't correspond to the certificateVerify you're using the correct key for this certificate
The CRT file has expiredCertificate's validity period has endedObtain a new certificate from your CA
Certificate does not contain this domainNone of the SANs match your domainEnsure the certificate covers your domain or its wildcard
Invalid chainThe intermediate chain is missing or not valid PEMProvide a valid intermediate chain in the Chain PEM (optional) field