Renew or Reissue a CA or Certificate

When a CA or certificate expires it must be replaced, renewed, or reissued. The GUI can Renew or Reissue a certificate using a semi-automatic process. This process can retain the existing properties of the CA or certificate, but results in a freshly signed copy. This process can also make changes to the lifetime, keys, and digest so they meet current security best practices.

The new copy of this certificate must be distributed to the intended target as it was originally.

Certificate Properties

The Renew or Reissue page displays information about the entry, including:

Subject

The subject of the certificate, containing its Distinguished Name (DN)

Serial

The serial number of the certificate.

Subject Key ID

Fingerprint of the certificate key.

Certificate Type

Either User or Server, if known.

Issued By

The CA which signed the certificate (Name and DN)

Renew or Reissue Options

There are two options available which control what happens when the certificate is renewed:

Reuse Key

When set (default), the existing key on the certificate is retained. When unset, a fresh key will be created when the certificate is reissued.

Reuse Serial

Set this option to retain the existing serial number when reissuing. Uncheck to generate a new serial.

Retaining the serial when renewing a CA allows existing certificates to remain valid, though some clients may not respect the new CA if the serial does not change.

Similarly, certificates should have a new serial every time they are renewed or some peers will reject them.

The exact behavior depends on the service and clients, but generally speaking it is safe to reuse the serial on a CA but not safe to reuse the serial on a server or user certificate. For example, OpenVPN is OK with reusing the serial number on a CA when renewing, while web browsers will reject changing a server certificate, even self-signed, if the serial does not change when the contents of the certificate change.

Strict Security

When set, upgrades the security of the certificate to meet current standards.

The Renew or Reissue page performs a security analysis on the certificate, comparing its current values for Lifetime, Digest, and RSA Key size with current best security practices. This analysis is printed at the bottom of the page. If any of the values are weak, the Would Change column in the analysis indicates Yes.

Renew or Reissue Example

To start the renewal process, first locate the CA or certificate to renew:

  • Navigate to System > Cert Manager

  • Navigate to the CAs tab for CA entries, or the Certificates tab for certificates

  • Locate the entry to renew in the list

  • Click fa-repeat at the end of the row for the certificate to load the Renew or Reissue page for the certificate

    Note

    The fa-repeat icon only appears for entries which have been signed by an internal CA on the firewall.

  • Review the contents of the page

  • Set the Renew or Reissue Options as desired

  • Click fa-repeat Renew/Reissue

  • Click OK to confirm the action

When the process completes, the certificate entry is updated in the configuration.

Note

If the certificate is in use by a service on the firewall, the associated service(s) are restarted automatically.

For user certificates, the updated certificate must be exported and transmitted to the user. If a new key was generated by the renewal process, it must also be transmitted to the user.