Replace expired VPN certificates
For security reasons, VPN certificates have an expiration date, after which the certificates must be replaced with new ones.
The VPN certificates issued by the Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways are valid for three years.
If you have both an Internal RSA CA for Gateways and an Internal ECDSA CA for Gateways, only one certificate authority can be selected as the default certificate authority. If automatic RSA certificate management is activated for an NGFW Engine, RSA certificates issued by the default certificate authority are renewed automatically as long as the certificate-related files, including the private key stored on the engines, are intact. You must manually create and renew any certificates that are not signed by the default certificate authority.
New certificates signed by the new default certificate authority are automatically created for VPN Gateway elements. You must manually create and renew any certificates that are not signed by the default certificate authority.
For more details about the product and how to configure features, click Help or press F1.