IPSec VPN certificate expires soon- how do I (re)create a valid certificate directly on the USG?

Zyxel_USG_User · June 16

I have an USG20W-VPN firewall.

My IPSec VPN certificate will expire soon. How do I create a valid new certificate for the VPN part? I have seen the instructions when using Nebula, I do not use that.

How can I do that directly on the firewall? Thank you.

Zyxel_Melen · June 17

Hi @Zyxel_USG_User

Where do I get the details from the existing certificate?

Please double click your VPN certificate, the firewall will pop-out a window and show the details.

https://jam.dev/c/f2409097-a8a9-4a03-940c-2bdd2806fe57

How do I enter these into the new?

You can click the add button to create a new self-assigned certification. You only need to enter the IP, same key type/signature algorithm/lifetime/extend key usage.

Please reference this video:

https://jam.dev/c/2f531058-5f90-4bd3-b2c5-21953453d812

How do I bind the 'new' self-signed certificate to the remote access configurations?

Please navigate to Configuration > VPN > IPSec VPN > VPN gateway to change the binding certificate.

https://jam.dev/c/b3d570a3-d8fc-4075-8c74-7e43f18eb8f3

Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?

You can get the new certificate by the function "get from server" on SecuExtender. After it gets the new configuration and certificate, it will ask you if you want to replace the VPN or other actions.

does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?

After binding the new certificate, the old one will not be used. You can delete it after unbind since it is still in your PKI storage.

Zyxel_USG_User · June 28

Hello,

Thank you so much for your very detailed instructions, all went well. Kind regards

PeterUK · June 16

Is it a Self-signed? by IP or Domain Name?

You can make Self-signed in in object > Certificates with

ServerAuthentication,

ClientAuthentication

leave IKE Intermediate unchecked

Then you have to export to the client OS in trusted root

Zyxel_USG_User · June 16

yes, self-signed see picture:

OK, I see now… click add, then enter the details. As I haven't done this yet, how do I reach the following steps?

Where do I get the details from the existing certificate?

2. How do I enter these into the new?

3. How do I bind the 'new' self-signed certificate to the remote access configurations?

4. Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?

5. does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?

Many thanks.

PeterUK · June 16

Under subject will list if its IP or Domain Name then you click add
Name
select and put in the whats listed for subnet
Host IP Address
or
Host Domain Name
check ServerAuthentication, ClientAuthentication
and ok

Go to VPN settings for the VPN gateway used for Remote Access (Server Role) under Authentication you can select your new Certificate

Not sure about SecuExtender I go check…hmmm not sure why but can't get the "get from server" to work but if you got SecuExtender setup with the current Certificate all you need to do is download the new Certificate (without setting a password) then in SecuExtender under IKE V2 their should be Ikev2Gateway click the Certificate and CA Management > Add CA > next find your Certificate and OK

Zyxel_Melen · June 17