Renewing VPN Certificates

Prerequisites: None

For security reasons, certificates have an expiry date, after which the certificate must be replaced with a new one. The process is partially automatic when internally-signed certificates are used, and the necessary steps are explained in this section. To create a new externally-signed certificate, see Creating a VPN Certificate or Certificate Request for an Internal Gateway.

The certificates issued by the internal VPN Certificate Authority are valid for three years. If automatic RSA certificate management is activated for an internal security gateway, RSA certificates issued by the internal VPN Certificate Authority are renewed automatically without your intervention as long as the certificate-related files are intact (including the private key stored on the engines).

The internal VPN Certificate Authority itself is valid for ten years. A new internal VPN Certificate Authority is automatically created six months before the internal VPN Certificate Authority’s expiration date. New certificates signed by the new internal VPN Certificate Authority are automatically created for internal gateways. If certificates are used to authenticate IPsec VPN client users and the certificates have been signed by the expiring VPN Certificate Authority, you must manually create new certificates for the IPsec VPN clients. You must also create new certificates manually for any other external components that have certificates signed by the internal VPN Certificate Authority.

Note –

When you renew the VPN certificate, StoneGate IPsec VPN client users will receive a notification about the certificate fingerprint change. Notify your users before you renew the certificate, if possible.

To renew an externally signed certificate of an internal Gateway

1.   Create a new certificate request as explained in Creating a VPN Certificate or Certificate Request for an Internal Gateway.

2.   Import the signed certificate as explained in Importing a VPN Gateway Certificate.

To renew an internally signed certificate of an external component

1.   Create a new certificate request in the external component. For StoneGate IPsec VPN clients, this is explained in the IPsec VPN Client User’s Guide.

2.   Sign the certificate as explained in Signing External Certificate Requests Internally.

To manually renew internally signed Internal Gateway certificates

1.   Select ConfigurationConfigurationVPN from the menu to switch to the VPN Configuration view.

2.   Browse to Virtual Private NetworksCertificatesGateway Certificates. The certificates are shown with their expiration dates and signer information.

3.   Right-click the certificate you want to renew and select Renew Certificate.

4.   Click Yes. There is a delay while the certificate is renewed, after which you are notified that the certificate was renewed. The certificate is transferred to the engine automatically.

5.   Refresh the policy of the firewall/VPN engine to activate the new certificate.

The procedure explained above renews the certificate when the certificate-related information is intact on the engine and on the Management Server. If the certificate has not expired but is affected by other problems, delete the existing certificate element in the Management Client and create a new one (see Creating a VPN Certificate or Certificate Request for an Internal Gateway).