So I recently got assigned the task of replacing the certificate used by the corporate SSL VPN solution. This is the device half the company depends upon every day, since we have a HUGE remote work force (including me.) Of course, I’d never touched the device before, no one currently with the company had seen the setup of the original certificate or knew how to replace, and no documentation existed on the process internally. Oh, and if I borked it, we’d basically be down, so, no pressure. Yay me! As such, first I made sure my ISAs were ready to rock and roll for client VPN, you know, just in case. And since I was already fairly certain that this process would kick existing connections off, I needed a way to get in that didn’t include me flying out to California.
Before you begin the swap process, note that you will disconnect all existing sessions. Not all at once, but as they renegotiate session keys. Make sure you set a maintenance window, and don’t use the VPN yourself while doing this unless you are very fast and very lucky.
I’m sorry I didn’t screen shot the process of generating a new CSR, but I was in a hurry and forgot. You can either use OpenSSL to generate a CSR and key pair, and then import them into the SA4000, or you can generate the CSR right on the SA4000. That is quick, easy, and causes no issues with the existing cert.
- Log onto the VPN concentrator’s Central Manager, and then access Configuration, Certificates, Device Certificates.
- Click the New CSR button, follow along with the wizard to generate the request, and you’ll see it under Certificate Signing Requests. Submit the CSR to your CA, and then come back to this page to finish the process and import the response file. You can have multiple certificates installed, so no worries there.
- Click on the expiring certificate, which you can see is the one being used by the <Internal Port.>
- In the box under "Selected Virtual Ports:" select the <Internal Port> and then click Remove.
- Then click Save Changes.
- Now click the new certificate, select the <Internal Port> and click Add, then click Save Changes.
Here, we see that we have two certificates installed. The VeriSign certificate is expiring, and we’re replacing it with the Thawte certificate. We have to unbind the old cert before we can bind the new one. 
That’s it in a nut shell. The whole process should only take about 5 minutes (not including getting a new cert or renewing an existing one.) You will see connections start to drop shortly thereafter, but they will be able to reconnect immediately, so no harm no foul. If this helps you, great! I know for a fact I’ll be looking at this post around early January 2011!
You might also enjoy:
