Renew or Reissue a CA or Certificate¶
When a CA or certificate expires it must be replaced, renewed, or reissued. The GUI can Renew or Reissue a certificate using a semi-automatic process. This process can retain the existing properties of the CA or certificate, but results in a freshly signed copy. This process can also make changes to the lifetime, keys, and digest so they meet current security best practices.
The new copy of this certificate must be distributed to the intended target as it was originally.
The Renew or Reissue page displays information about the entry, including:
The subject of the certificate, containing its Distinguished Name (DN)
The serial number of the certificate.
- Subject Key ID
Fingerprint of the certificate key.
- Certificate Type
Either User or Server, if known.
- Issued By
The CA which signed the certificate (Name and DN)
Renew or Reissue Options¶
There are two options available which control what happens when the certificate is renewed:
- Reuse Key
When set (default), the existing key on the certificate is retained. When unset, a fresh key will be created when the certificate is reissued.
- Reuse Serial
Set this option to retain the existing serial number when reissuing. Uncheck to generate a new serial.
Retaining the serial when renewing a CA allows existing certificates to remain valid, though some clients may not respect the new CA if the serial does not change.
Similarly, certificates should have a new serial every time they are renewed or some peers will reject them.
The exact behavior depends on the service and clients, but generally speaking it is safe to reuse the serial on a CA but not safe to reuse the serial on a server or user certificate. For example, OpenVPN is OK with reusing the serial number on a CA when renewing, while web browsers will reject changing a server certificate, even self-signed, if the serial does not change when the contents of the certificate change.
- Strict Security
When set, upgrades the security of the certificate to meet current standards.
The Renew or Reissue page performs a security analysis on the certificate, comparing its current values for Lifetime, Digest, and RSA Key size with current best security practices. This analysis is printed at the bottom of the page. If any of the values are weak, the Would Change column in the analysis indicates Yes.
Renew or Reissue Example¶
To start the renewal process, first locate the CA or certificate to renew:
Navigate to System > Cert Manager
Navigate to the CAs tab for CA entries, or the Certificates tab for certificates
Locate the entry to renew in the list
Click at the end of the row for the certificate to load the Renew or Reissue page for the certificate
The icon only appears for entries which have been signed by an internal CA on the firewall.
Review the contents of the page
Set the Renew or Reissue Options as desired
Click OK to confirm the action
When the process completes, the certificate entry is updated in the configuration.
If the certificate is in use by a service on the firewall, the associated service(s) are restarted automatically.
For user certificates, the updated certificate must be exported and transmitted to the user. If a new key was generated by the renewal process, it must also be transmitted to the user.