I've spoken to a few customers this week about SSL certificates, and how they can renew them, so I figured it warranted a forum post. I’ve seen things get confused before when the name matches a previous certificate that’s in use, even with wildcards (which makes renewals or crypto upgrades such as switching a SHA-1 for a SHA-2 certificate tricky). The way I normally handle renewals on my test box is by doing the following:
- Log into the appliance admin interface on port 8000 (HTTP), or 8443 (HTTPS)
- Go to the SSL Certificate tab
- Switch the certificate type to Default
- Save Changes
- The appliance interface will become briefly unavailable
- Log back in and go to the SSL Certificates tab
- Switch the certificate type to Trusted
- Click “Clean All Unused Files” (this can sometimes take two clicks in order to clear everything, but you should end up with an empty list)
- Upload your latest certificate as before (I generally do it with the certificate first, then the private key, then the rest of the certificate chain walking upwards, so issuer of your cert, then the issuer’s issuer, and so on until I get to “Trusted” status)
- Once all the components are in place, click the “Use” button
- The appliance interface will become briefly unavailable again and then come back up with the new certificate in place
- In order to send this new certificate to the SSL VPN, the “Synchronise” button at the bottom of the page should be used. This last step is the only point where the SSL VPN service itself will become unavailable, so this doesn't have to be done immediately, but could be done at a more convenient time with fewer users online.
One thing to note about the final step in this process is that the certificate sync currently requires TLSv1.0 to be enabled on the SSL VPN configuration (under Advanced->Configuration on port 443). If you currently have working status graphs on the Basic->Status page on port 8000/8443 then you should be good to go (they use the same API calls). If your graphs are currently not working then you’ll need to enable TLSv1.0 briefly on port 443 and then do the sync before turning TLSv1.0 off again if required.