Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LeeBingKang
Contributor

ICA in the security management server

Hi All,

 

Recently, i just found out my client's security management ICA will be expired on next year July. With this item, i wonder if the ICA will be automatically renewed by the security management? If yes, when it will automatically renewed ( 1 month before expired)?

 

I appreciate if someone able to advise me on this.

 

Thank you.

 

0 Kudos
8 Replies
Chris_Atkinson
Employee
Employee

Please refer: sk158096: How to renew an Internal Certificate Authority (ICA) certificate

As prerequisite to updating your internal CA Certificate, please verify that your Security Management and Gateways are installed with the below versions, or higher:

• R81 Jumbo Hotfix Accumulator Take 25 or higher
• R80.40 Jumbo Hotfix Accumulator Take 114 or higher
• R80.30 Jumbo Hotfix Accumulator Take 235 or higher
• R80.20 Jumbo Hotfix Accumulator Take 202 or higher
• R80.10 Jumbo Hotfix Accumulator Take 290 or higher

0 Kudos
LeeBingKang
Contributor

Hi,

Thanks for your reply to my post. I have a question would like to ask you, what if my security gateway doesn't meet the jumbo hotfix requirement but I don't wish to jumbo hotfix it because reboot required? What is the potential impact if i do so?

 

Thank you.

 

Thank you.

0 Kudos
Chris_Atkinson
Employee
Employee

SIC might be lost with the Gateways.

Hopefully in the next 12-months you can find a window, this should be feasible especially for a cluster.

With that said the minimal gateway level should be at least:

• R81 or higher
• R80.40 Jumbo Hotfix Accumulator Take 69 or higher
• R80.30 Jumbo Hotfix Accumulator Take 163 or higher
• R80.20 Jumbo Hotfix Accumulator Take 129 or higher
• R80.10 Jumbo Hotfix Accumulator Take 262 or higher

 

 

 

0 Kudos
LeeBingKang
Contributor

Hi,

 

With your description, that's mean:

 

the security management with R8040 jumbo hotfix 156, and security gateway with R8040 jumbo hotfix 102 should be enough to fulfill the pre-requisite. 

0 Kudos
Chris_Atkinson
Employee
Employee

Yes, you should be able to complete the procedure without concern prior to expiry.

LeeBingKang
Contributor

Hi Chris,

 

Good day to you and i hope you are doing fine.

 

I have a concern would like to seek for your help to clarify it.

 

If the management server's internal certificate being renewed, may i know is the capsule connect/vpn user's certificate (signed by old management server certificate) need to be renewed manually via re-enroll?

 

Thank you.

0 Kudos
Chris_Atkinson
Employee
Employee

The finger print will change, to help avoid pop-ups on the end user side you can distribute an updated registry key via GPO or similar following the renewal process.

As the renewal process involves TAC assistance I suggest engaging them to advise further on considerations for your specific scenario / deployment.

LeeBingKang
Contributor

Hi,

 

Noted on your suggestion and i will open a case to ask TAC regarding my question. I will update at here if have any update.

0 Kudos