Renew NGFW Engine certificates

NGFW Engine certificates are renewed automatically. You might have to renew NGFW Engine certificates manually in some cases.

The following situations might require you to manually renew NGFW Engine certificates:

  • A message indicates that the certificate for an NGFW Engine has expired.
  • A message indicates that the certificate authority that signed the component’s certificate is about to expire or has expired. A new certificate authority has been created, and the engine requires a new certificate.
  • Components refuse connection attempts with each other.
  • You have created an ECDSA CA and the engine has lost connectivity to the Management Server. You might also have to manually enable 256-bit security strength for the engine.

If the certificate for system communications expires, the NGFW Engines continue processing traffic normally but all communications with other components stop. For clusters, traffic might be disrupted if expired certificates prevent nodes from synchronizing information. The same disruption can also happen if the internal certificate authority that signs the certificates for system communications is in the process of being renewed, and NGFW Engines do not have new certificates signed by the new internal certificate authority that the system has automatically created.

NGFW Engine certificates might expire if you have disabled automatic certificate renewal.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. In the Management Client, save the initial configuration and generate a new one-time password for the NGFW Engine.
  2. To renew contact between the engine and the Management Server using the new one-time password, run the following command on the command line of the NGFW Engine:
    sg-reconfigure
  3. Follow the prompts in the NGFW Initial Configuration Wizard until the Prepare for Management Contact page opens.
  4. Select Contact, then press the spacebar.
  5. Enter the Management Server IP address and the one-time password.
  6. Highlight Finish, then press Enter.