Renew an internally signed certificate for a VPN Gateway element

New certificates signed by the new default certificate authority are automatically created for VPN Gateway elements. You must manually create and renew any certificates that are not signed by the default certificate authority.

If you have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways, only one certificate authority can be selected as the default certificate authority. If automatic RSA certificate management is activated for an NGFW Engine, RSA certificates issued by the default certificate authority are renewed automatically as long as the certificate-related files, including the private key stored on the engines, are intact. You must manually create and renew any other certificates that are not signed by the default certificate authority.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Other Elements > Certificates > Gateway Certificates.
    The certificates are shown with their expiration dates and signer information.
  3. Right-click the certificate you want to renew and select Renew Certificate.
    You are prompted to confirm that you want to renew the certificate.
  4. Click Yes.
    There is a delay while the certificate is renewed, after which you are notified that the certificate was renewed. The certificate is transferred to the engine automatically.
  5. Refresh the policy of the Firewall to activate the new certificate.
    This procedure renews the certificate when the certificate-related information is intact on the engine and on the Management Server. If the certificate has not expired but has other problems, delete the existing certificate element in the Management Client and create a new one.