Managing Internal Certificates

In the Certificates Internal Certificate page you can view details of an internal VPN certificate. You can also view and reinitialize the certificate used by the internal CA that signed the certificate and can be used to sign external certificates.

Note - This page is available from the Device and VPN tabs.

When you create an internal VPN certificate, when a certificate that is signed by the internal CA is used, the CA's certificate must be reinitialized when the Internet connection's IP addresses change.

To avoid constant reinitialization, we recommend you use the DDNS feature. See Device > DDNS. When DDNS is configured, you only need to reinitialize the certificate once. Changes in the DDNS feature configuration by default automatically reinitialize certificates.

To reinitialize certificates:

  1. Click Reinitialize Certificates.

    The Reinitialize Certificates window opens.

  2. Enter the Host/IP address.

    Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  3. Select the number of years for which the Internal VPN Certificate is valid. The default is 3. The maximum value allowed is 20.

  4. Click Apply.

Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.

To replace an internal CA certificate:

  1. Click Replace Internal CA Certificate.

  2. Click Browse to select the CA certificate file that includes the private key.

  3. Enter the Certificate name and private key's password to allow the device to sign certificates with the uploaded CA.

  4. Enter the Host/IP address.

    Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  5. Click Apply.

To export an internal CA certificate:

Click Export Internal CA Certificate to download the internal CA certificate.

To sign a remote site's certificate request by the internal CA:

  1. Click Sign a Request.

  2. Click Browse to upload the signing request file as created in the remote site.

    In third party appliances, make sure to look in its Administration Guide to see where signing requests are created.

    The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.

  3. Click Download.

    The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.