Internal VPN certificate authorities

The Management Server includes a dedicated Internal RSA CA for Gateways and optionally an Internal ECDSA CA for Gateways for signing VPN certificates for creating self-signed certificates.

You can use both an Internal ECDSA CA for Gateways and an Internal RSA CA for Gateways at the same time.

The internal certificate authorities run on the same computer as the Management Server. If you have both types of internal certificate authorities, only one certificate authority can be selected as the default certificate authority. Only the default CA is used in automated RSA certificate management. You must manually create and renew any certificates that are not signed by the default CA.

If you want to use the internal certificate authorities to sign certificates, you must export, transfer, and import certificate requests and signed certificates manually. The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways do not support certificate revocation lists. We do not recommend using the internal certificate authorities to sign certificates for components that are outside the control of your organization.

The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways are each valid for 10 years. A new Internal RSA CA for Gateways or Internal ECDSA CA for Gateways is automatically created to replace the default certificate authority 6 months before the expiration date. The internal certificate authority that is not selected as the default certificate authority is not automatically renewed.

If automatic RSA certificate management is activated for an NGFW Engine, RSA certificates issued by the default certificate authority are renewed automatically. You must manually renew certificates if the certificate-related files, including the private key stored on the engines, are damaged or lost. You must also manually create and renew any certificates that are signed not signed by the default certificate authority. If certificates for authenticating VPN client users were signed by the expiring Internal CA for Gateways, you must manually create new certificates for the VPN clients. You must also create new certificates manually for external components that have certificates signed by the Internal RSA CA for Gateways or the Internal ECDSA CA for Gateways.