Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
roepkes
Participant

Renewing a 3rd Part VPN Certificate in R80.30

We have an existing 3rd party certificate that we need to renew. I have installed new certs using sk149253, but never renewed one.

 

We received new root and intermediate certs from DigiCert, but receive an error that they already exist when trying to create new server objects.

 

Does anyone know the exact process to renew 3rd party certs without deleting the originals?

5 Replies
PhoneBoy
Admin
Admin

Did you generate a CSR here or did they just give you new certificates?

roepkes
Participant

Received new root and intermediate certs from DigiCert. Tried to create new server objects so that I could create a new CSR. Failed because the new certs look like the ones on the current server object. My sense is that I just need to remove the current cert from the repository, use the "get" cert feature to update the root and intermediate certs and generate a new CSR. Then complete the cert when signed, tell the vpn clients to use the cert and install policy. Sound right?
0 Kudos
Reply
PhoneBoy
Admin
Admin

That all sounds correct to me.
You might also need to double-check the VPN settings on the gateway object/community to ensure certificates from that CA are trusted.

0 Kudos
Reply
roepkes
Participant

Thanks. I'll update my post after we do the work on Wednesday.

0 Kudos
Reply
roepkes
Participant

Worked out pretty much as intended.

1) Removed the current cert from the repository which blanked the VPN clients selection. There some warning and push configuration messages.

2)  Opened the trusted CA server object and used the Get button on the OPSEC PKI Tab to install and accept the new root cert.

3) Repeated step 2 for the subordinate CA.

4) Used the add button on the IPSEC page to create a new cert. You'll add a nickname and in our case it was important to pick our subordinate CA in the "CA to enroll from". First time we selected the root and we received an error telling us the cert chain was off.

5) Pushed the generate button and added our DN.

6) Another member of our team took the info and processed the cert with DigiCert.

7) Used the returned, signed cert to complete the enrollment.

😎 Switched the VPN clients to authenticate using the new cert.

9) Pushed policy for good measure.

 

0 Kudos
Reply