Renewing certificates

You must renew certificates and certificate authorities when they expire.

All certificates have a validity start date (“not before”) and a validity end date (“not after”). In the SMC, internally generated certificates are valid for three years from their creation.

The SMC’s internal Certificate Authorities are valid for 10 years. A new internal RSA CA or a new internal ECDSA CA is automatically created six months before the expiration date. Components that use certificates signed by the internal CAs must receive new certificates that have been signed by the new internal CAs.

When the system has created a new internal CA, SMC components gradually start using the new internal CA to sign certificates. Initially, the new internal CA is in the Ready to Use state, and only Management Server certificates are signed by the new internal CA. Certificates for other components are signed by the internal CA that is used by the Management Server. In an environment with multiple Management Servers, the new internal CA changes to the “Active” state when all Management Servers are using the new internal CA.

Each component must receive a new certificate signed by the new internal CA. The SMC automatically creates new certificates for NGFW Engines. For other components, you must always manually create new certificates. If the automatic certificate creation fails, you must create new certificates manually for NGFW Engines.