Validity of VPN certificates
VPN certificates are always valid starting from a specific date and time and expire at a specific date and time in the future.
All components that use (or sign) certificates must have the correct time settings to avoid unexpected certificate rejections. The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways of the Management Server generate certificates that are valid starting immediately until three years from their creation.
A Certificate Revocation List (CRL) or online Certificate Status Protocol (OCSP) server can be used to cancel a certificate before it reaches its expiration. For example, a certificate might be revoked if unauthorized parties have obtained a copy of both the certificate and the associated private key. The Internal RSA CA for Gateways and the Internal ECDSA CA for Gateways do not support certificate revocation lists. If you want to use certificate validation, you must use an external certificate authority (either one you maintain yourself or a commercial service). The NGFW Engine contacts the certificate validation servers using HTTP. If all defined certificate validation servers are unreachable, the certificates are treated as invalid until the validity of the certificate can be checked.