Replace expired VPN certificates

For security reasons, VPN certificates have an expiration date, after which the certificates must be replaced with new ones.

The VPN certificates issued by the Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways are valid for three years.

If you have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways, only one certificate authority can be selected as the default certificate authority. If automatic RSA certificate management is activated for an NGFW Engine, RSA certificates issued by the default certificate authority are renewed automatically as long as the certificate-related files, including the private key stored on the engines, are intact. You must manually create and renew any certificates that are not signed by the default certificate authority.

New certificates signed by the new default certificate authority are automatically created for VPN Gateway elements. You must manually create and renew any certificates that are not signed by the default certificate authority.

If certificates signed by the expiring Internal CA for Gateways are used to authenticate VPN client users, you must manually create new certificates for the VPN clients. You must also create new certificates manually for any other external components that have certificates signed by the expiring Internal RSA CA for Gateways or Internal ECDSA CA for Gateways.
Note: When you renew the VPN certificate, Forcepoint VPN Client users receive a notification about the certificate fingerprint change. Notify users before you renew the certificate if possible.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. To renew an externally signed certificate for a VPN Gateway element, follow these steps.
    1. Create a certificate request.
    2. Sign the certificate with the external CA.
    3. Import the signed certificate.
  2. To renew an internally signed certificate for an external component, follow these steps.
    1. Create a certificate request in the external component.
    2. Sign the certificate with the internal CA.
    3. Export the signed certificate and import it to the external component.
  3. To renew an internally signed certificate for a VPN Gateway element, follow these steps.
    1. Select Configuration, then browse to SD-WAN.
    2. Browse to Other Elements > Certificates > Gateway Certificates.
      The certificates are shown with their expiration dates and signer information.
    3. Right-click the certificate you want to renew and select Renew Certificate.
      You are prompted to confirm that you want to renew the certificate.
    4. Click Yes.
      There is a delay while the certificate is renewed, after which you are notified that the certificate was renewed. The certificate is transferred to the engine automatically.
    5. Refresh the policy of the Firewall to activate the new certificate.
    This procedure renews the certificate when the certificate-related information is intact on the engine and on the Management Server. If the certificate has not expired but has other problems, delete the existing certificate element in the Management Client and create a new one.
  4. To renew an external certificate authority used in VPN configurations, follow these steps.
    1. Configure a new certificate authority and make sure that it is a trusted certificate authority in the VPN configurations.
    2. Create new certificates for the components involved in the VPN configuration, signed by the new certificate authority.
  5. To renew internal certificate authorities used in securing system communications and in VPNs, follow these steps.
    1. The system automatically generates a new internal certificate authority and a new internal VPN certificate authority six months before their expiration dates.
    2. Each component that uses certificates signed by the internal certificate authority or the internal VPN certificate authority requires a new certificate that is signed by the new internal certificate authority or internal VPN certificate authority.
  6. If an external gateway trusts the internal VPN CA and the internal VPN CA has been renewed, create a certificate for the external gateway and sign it with the new internal VPN CA.
    You must also set the new VPN CA as a trusted CA in the External Gateway’s properties and also in the properties of the VPN Profile element that is used in the VPN configuration.
  7. If certificates are used to authenticate VPN client users and the certificates have been signed with the internal VPN CA, you must create new certificates for the VPN client users using the new VPN CA.
    When a VPN client connects to a gateway that trusts the new internal VPN CA, the VPN client users must accept the fingerprint of the gateway’s certificate before they can connect to the gateway. Inform the users that the fingerprint of the gateway’s certificate has changed and provide the information for checking the fingerprint in the VPN client.