IPSec VPN certificate expires soon- how do I (re)create a valid certificate directly on the USG?






I have an USG20W-VPN firewall.
My IPSec VPN certificate will expire soon. How do I create a valid new certificate for the VPN part? I have seen the instructions when using Nebula, I do not use that.
How can I do that directly on the firewall? Thank you.
Best Answers
-
Where do I get the details from the existing certificate?
Please double click your VPN certificate, the firewall will pop-out a window and show the details.
How do I enter these into the new?
You can click the add button to create a new self-assigned certification. You only need to enter the IP, same key type/signature algorithm/lifetime/extend key usage.
Please reference this video:
How do I bind the 'new' self-signed certificate to the remote access configurations?
Please navigate to Configuration > VPN > IPSec VPN > VPN gateway to change the binding certificate.
Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?
You can get the new certificate by the function "get from server" on SecuExtender. After it gets the new configuration and certificate, it will ask you if you want to replace the VPN or other actions.
does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?
After binding the new certificate, the old one will not be used. You can delete it after unbind since it is still in your PKI storage.
Zyxel Melen1 -
Hello,
Thank you so much for your very detailed instructions, all went well. Kind regards
0
All Replies
-
Is it a Self-signed? by IP or Domain Name?
You can make Self-signed in in object > Certificates with
ServerAuthentication,
ClientAuthentication
leave IKE Intermediate unchecked
Then you have to export to the client OS in trusted root
0 -
yes, self-signed see picture:
OK, I see now… click add, then enter the details. As I haven't done this yet, how do I reach the following steps?
- Where do I get the details from the existing certificate?
2. How do I enter these into the new?
3. How do I bind the 'new' self-signed certificate to the remote access configurations?
4. Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?
5. does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?
Many thanks.
0 -
Under subject will list if its IP or Domain Name then you click add
Name
select and put in the whats listed for subnet
Host IP Address
or
Host Domain Name
check ServerAuthentication, ClientAuthentication
and okGo to VPN settings for the VPN gateway used for Remote Access (Server Role) under Authentication you can select your new Certificate
Not sure about SecuExtender I go check…hmmm not sure why but can't get the "get from server" to work but if you got SecuExtender setup with the current Certificate all you need to do is download the new Certificate (without setting a password) then in SecuExtender under IKE V2 their should be Ikev2Gateway click the Certificate and CA Management > Add CA > next find your Certificate and OK
0 -
Where do I get the details from the existing certificate?
Please double click your VPN certificate, the firewall will pop-out a window and show the details.
How do I enter these into the new?
You can click the add button to create a new self-assigned certification. You only need to enter the IP, same key type/signature algorithm/lifetime/extend key usage.
Please reference this video:
How do I bind the 'new' self-signed certificate to the remote access configurations?
Please navigate to Configuration > VPN > IPSec VPN > VPN gateway to change the binding certificate.
Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?
You can get the new certificate by the function "get from server" on SecuExtender. After it gets the new configuration and certificate, it will ask you if you want to replace the VPN or other actions.
does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?
After binding the new certificate, the old one will not be used. You can delete it after unbind since it is still in your PKI storage.
Zyxel Melen1 -
Hello,
Thank you so much for your very detailed instructions, all went well. Kind regards
0
Categories
- All Categories
- 435 Beta Program
- 2.7K Nebula
- 175 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 422 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 44 Wireless Ideas
- 6.7K Consumer Product
- 273 Service & License
- 418 News and Release
- 88 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 89 Security Highlight