Replacing expired VPN certificates

For security reasons, VPN certificates have an expiration date, after which the certificates must be replaced with new ones.

The VPN certificates issued by the Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways are valid for three years.

Internal certificate authorities also have an expiration date. The system automatically generates a new internal certificate authority and a new internal VPN certificate authority six months before their expiration dates. Each component that uses certificates signed by the internal certificate authority or the internal VPN certificate authority requires a new certificate that is signed by the new internal certificate authority or internal VPN certificate authority.

If certificates signed by the expiring Internal CA for Gateways are used to authenticate VPN client users, you must manually create new certificates for the VPN clients. You must also create new certificates manually for any other external components that have certificates signed by the expiring Internal RSA CA for Gateways or Internal ECDSA CA for Gateways.

Note: When you renew the VPN certificate, Forcepoint VPN Client users receive a notification about the certificate fingerprint change. We recommend that you notify users before you renew the certificate if possible.