Modify PKI Settings for All Sites
The VPN authentication settings for a tenant are configured when the tenant is onboarded. If PKI Certificate is configured as the authentication type, tenant administrators can modify the PKI settings even after adding sites for the tenant. The changed settings are applicable to all existing sites of the tenant and to sites that the tenant might add later.
You can modify the following PKI settings from the Edit Certificate Settings for Tenant page (Administration > Certificate Management > VPN Authentication > Change).
Certificate Authority (CA) Server Parameters
The CA server manages the lifecycle of a certificate and publishes revoked certificates to the Certificate Revocation List (CRL) server. To obtain trusted CA certificates, CSO communicates with the CA server using the Simple Certificate Enrollment Protocol (SCEP).
To change the CA server parameters (URL, Password, and CRL URL):
On the Edit Certificate Settings for Tenant page, enter the new CA server URL and password in the CA Server URL and Password fields, respectively. Enter the new CRL server URL associated with the CA server in the CRL Server field.
Click OK to save your changes.
You are returned to the VPN Authentication page, where a confirmation message appears indicating that a job is triggered to automatically renew certificates for all sites in the tenant.
You can click the job link in the message to view the job details, or view the details on the Jobs (Monitor > Jobs) page.
Note:The CA server parameters are not updated if the PKI server is unreachable at the time that the job is triggered.
After the job is completed successfully, a confirmation message appears indicating that the settings are updated. CSO also downloads the latest list of revoked certificates from the CA server.
CRL Server URL
You can choose to update only the CRL server URL associated with the CA server.
To update the CRL server URL:
On the Edit Certificate Settings for Tenant page, specify the new CRL server URL in the CRL Server field.
Click OK to save your changes.
You are returned to the VPN Authentication page, where a confirmation message appears indicating that a job is triggered.
You can click the job link in the message to view the job details or view the details on the Jobs (Monitor > Jobs) page.
After the job is completed successfully, a confirmation message appears indicating that the settings are updated. CSO downloads the latest list of revoked certificates from the CA server.
Certificate Renewal Method
To change the certificate renewal method:
On the Edit Certificate Settings for Tenant page, click the Auto Renew Certificate toggle button to enable or disable the automatic renewal of certificates.
If you enable the Auto Renew Certificate toggle button, the Renew Before Expiry list appears.
From the list, select the period before the expiry date on which the certificates should be automatically renewed:
3 Days
1 Week
2 Weeks (default)
1 Month
If you disable the Auto Renew Certificate toggle button, the certificates should be manually renewed for each site before they expire. See Modify PKI Settings for Selected Sites for the procedure to manually renew certificates for sites.
Click OK to save your changes.
If you enabled the automatic renewal of certificates, CSO schedules a job to check the expiration date of certificates for all sites of the tenant (every 24 hours). Based on the expiration date that you’ve configured, CSO triggers a job to automatically renew the certificates.
Note:The certificate renewal job is not executed for sites that are down or that do not have connectivity to CSO at the time that the job is triggered.
You are returned to the VPN Authentication page where a confirmation message appears indicating that the settings are updated.