Validity of certificates

Certificates are always valid starting from a specific date and time and expire at a specific date and time in the future.

All components that use (or sign) certificates must have the correct time settings to avoid unexpected certificate rejections. The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways of the Management Server generate certificates that are valid starting immediately until three years from their creation.

Certificate revocation lists (CRL) can be used to cancel a certificate before it reaches its expiration. For example, a certificate might be revoked if unauthorized parties have obtained a copy of both the certificate and the associated private key. The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways do not support certificate revocation lists. If you want to use CRLs, you must use an external certificate authority (either one you maintain yourself or a commercial service). The CRL servers are accessed using LDAP or HTTP (depending on what the certificate specifies). If all defined CRL servers are unreachable, the certificates are treated as invalid until the CRL can be checked. You can set up the NGFW Engine to access CRL servers directly or use the OCSP protocol.