topic Re: Endpoint Security certificate based VPN prompting expiry in Endpoint

Endpoint Security certificate based VPN prompting expiry

henryck — Wed, 03 Aug 2022 04:36:47 GMT

Hello

Our EPS agent is configured to use certificate based VPN to centrally managed R81.10 gateways. Internal ADCS/ADDS enrollment policies are configured to auto renew certificates, however our endpoints are currently prompting users with a dialogue to contact the sysadmin due to an expiring certificate.

Is anyone aware of how to turn this off in the registry, or disable the prompt from policy? Attachment of the error is attached.

Thank you

Re: Endpoint Security certificate based VPN prompting expiry

AndreiR — Wed, 03 Aug 2022 13:34:14 GMT

Hi @henryck ,

This screen tells user that his personal certificate which is used for authentication will be expired soon.

Could you please elaborate what "ADCS / ADDS" is?

Re: Endpoint Security certificate based VPN prompting expiry

henryck — Wed, 03 Aug 2022 22:34:43 GMT

Hi Andrei

I'd like to disable it as we do not want the users to know, as it generates tickets.

Active directory certificate services are used for PKI, its a windows environment.

Thank you

Re: Endpoint Security certificate based VPN prompting expiry

AndreiR — Thu, 04 Aug 2022 14:05:32 GMT

@henryck ,

I'll check some details and get back to you soon.

And let me know please which exact Endpoint product and version you use.

Re: Endpoint Security certificate based VPN prompting expiry

AndreiR — Mon, 15 Aug 2022 07:44:38 GMT

Hello @henryck ,

In short, if your users have only one personal certificate for authentication in VPN, you may set the "certificate_auto_renewal_threshold" parameter to 0. Refer sk75221 and sk177463. But be aware of the risk that if for some reason certificate has expired (say, user didn't connect to domain controller for long time), user will not be able to connect to VPN.

This trick might not work (we are still checking this) if some user have several personal certificates installed simultaneously (with same Subject but different Serial Numbers).

Re: Endpoint Security certificate based VPN prompting expiry

henryck — Sun, 14 Aug 2022 23:37:58 GMT

Thanks for getting back, I will test this out. Our endpoints should only have a single certificate so this should hopefully work to disable to prompts.