Select the default internal certificate authority

If you have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways, only one certificate authority can be selected as the default certificate authority.

Only the default certificate authority is used in automated RSA certificate management. You must manually create and renew any certificates that are not signed by the default CA.
All gateways in the same VPN must support the CA algorithm used by the default certificate authority. Otherwise, VPN communication fails.

  For more details about the product and how to configure features, click Help or press F1.


  1. Select Configuration, then browse to SD-WAN.
  2. Browse to Other Elements > Certificates > VPN Certificate Authorities.
  3. Right-click the Internal CA for Gateways that is not currently the default certificate authority, then select Tools > Set Default Certificate Authority.