Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
henryck
Participant

Endpoint Security certificate based VPN prompting expiry

Jump to solution

Hello

Our EPS agent is configured to use certificate based VPN to centrally managed R81.10 gateways. Internal ADCS/ADDS enrollment policies are configured to auto renew certificates, however our endpoints are currently prompting users with a dialogue to contact the sysadmin due to an expiring certificate.

Is anyone aware of how to turn this off in the registry, or disable the prompt from policy? Attachment of the error is attached.

Thank you

0 Kudos
1 Solution

Accepted Solutions
AndreiR
Employee
Employee

Hello @henryck ,

In short, if your users have only one personal certificate for authentication in VPN, you may set the "certificate_auto_renewal_threshold" parameter to 0. Refer sk75221 and sk177463. But be aware of the risk that if for some reason certificate has expired (say, user didn't connect to domain controller for long time), user will not be able to connect to VPN.

This trick might not work (we are still checking this) if some user have several personal certificates installed simultaneously (with same Subject but different Serial Numbers).

 

View solution in original post

5 Replies
AndreiR
Employee
Employee

Hi @henryck ,

This screen tells user that his personal certificate which is used for authentication will be expired soon.

Could you please elaborate what "ADCS / ADDS" is? 

0 Kudos
henryck
Participant

Hi Andrei

I'd like to disable it as we do not want the users to know, as it generates tickets.

Active directory certificate services are used for PKI, its a windows environment. 

Thank you

0 Kudos
AndreiR
Employee
Employee

@henryck ,

I'll check some details and get back to you soon.

And let me know please which exact Endpoint product and version you use.

0 Kudos
AndreiR
Employee
Employee

Hello @henryck ,

In short, if your users have only one personal certificate for authentication in VPN, you may set the "certificate_auto_renewal_threshold" parameter to 0. Refer sk75221 and sk177463. But be aware of the risk that if for some reason certificate has expired (say, user didn't connect to domain controller for long time), user will not be able to connect to VPN.

This trick might not work (we are still checking this) if some user have several personal certificates installed simultaneously (with same Subject but different Serial Numbers).

 

henryck
Participant

Thanks for getting back, I will test this out. Our endpoints should only have a single certificate so this should hopefully work to disable to prompts. 

0 Kudos