Check when VPN certificate authorities expire

The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways are valid for 10 years.

The Management Server includes a dedicated Internal RSA CA for Gateways for signing VPN certificates. You can optionally also create an Internal ECDSA CA for Gateways. If you have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways, only one certificate authority can be selected as the default certificate authority.

A new Internal RSA CA for Gateways or Internal ECDSA CA for Gateways is automatically created to replace the default certificate authority six months before the expiration date. The certificate authority that is not selected as the default certificate authority is not automatically renewed.

When a new internal VPN CA has been created, the VPN gateways that trust the old VPN CA must be made to trust the new VPN CA. VPN clients that use certificates for user authentication also require new certificates signed by the new VPN CA.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Other Elements > Certificates > VPN Certificate Authorities.
  3. See the Expiration Date column for information about the CA’s expiration date.
  4. To view detailed information, right-click an Internal RSA CA for Gateways or an Internal ECDSA CA for Gateways, then select Properties. Check the following information in the Properties dialog box:
    • Validity information in the Valid from and Valid to fields.
    • Status information:
      • Active: You can use this Internal CA for Gateways to sign certificates.
      • Renewal Started: This certificate authority is a new Internal CA for Gateways that the SMC has created automatically. The process of renewing VPN certificates has begun.
      • Expires Soon: A new Internal CA for Gateways has been created but some components might still use certificates signed by this Internal CA for Gateways.
      • Inactive: This Internal CA for Gateways has expired or no SMC components use a certificate signed by this internal VPN CA.