We currently utilize certificate based VPNs between our main cluster and some 1430 SMB DAIP appliances, everything is Centrally Managed. These VPNs currently work great with no issues. We fail certain compliance scans because the IPsec certificate being used by the firewall cluster is a self-signed certificate which is an automatic fail. Since we utilize certificate based VPNs, we now have the task of replacing the self-signed VPN certificate with a trusted certificate from a third-party CA.
Replacing the internal VPN certificate with a third-party certificate seems pretty straight forward. My problem is I do not understand what steps are needed to move the 1430 SMB DAIP appliances to using the new third-party certificate and how to test it.
Based off what I know this is where I am stuck in this process.
- Load Trusted CA third-party Root & Intermediate servers
- Edit cluster -> Add new certificate using the new third-party CA / do the CSR process
- Internal & third-party certs now show in IPsec certificate repo
- Edit cluster -> IPsec VPN
- Under traditional mode I would assume I want to make this change during the transition:
- When negotiating with a locally managed peer gateway:
The gateway can use any of its certificates. (currently set to internal_ca)
- Then ???
At this point I would assume both internal_ca & third-party certificates would be presented to the SMB appliances to be used for a certificate VPN, but how do I tell it to use the third-party and how do I verify it is? I would assume this process would be needed every year for the renewal process.
I've looked over this article (Setup Cert VPN ), which is basically what we are doing now and looking over the Site to Site VPN admin guide mentions "CA Certificate Rollover" but doesn't offer the insight I am looking for.
The cluster is running R81.10 Take 66 & the SMB 1430 DAIP appliances are running R77.20.87 (990173120).
Thoughts?