Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 2951 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG VPN Client Certificate Renewal

Red Rooster

Hello All

We have an external certificate which will expire shortly and a valid replacement ready to be uploaded. Last year remote users needed to login and download the updated VPN configuration file once the expired certificate was renewed.

If the updated certificate is uploaded now would this allow everything to rollover seamlessly or when the current certificate expires will the client certificate be regenerated against the new certificate and require downloading/installing? (I presume the client certificate is generated against the current uploaded external XG certificate and will naturally expire on the client side?)

As everyone is working remotely I would like to keep the workload to a minimum so just asking if there is a way to stop the re-install?

Many thanks for any info or thoughts

RR



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    You can upload the new certificate on the firewall, but as soon as you replace the old certificate from VPN > Show VPN settings > SSL VPN > SSL server certificate with the new one, the remote user's certificate will become invalid, and they won't be able to log in to the Remote SSL VPN. 

    Remote SSL VPN user certificate will be re-generated based on the new certificate when the user downloads the new configuration from the user portal, so the process remains the same that you had to follow last time.  

    However, if you use Sophos Connect Client 2.0 for SSL VPN, this process of re-downloading the new config with the new certificate is automated. 

    Check out the following release note and configuration documents for more info: Sophos Connect 2.0 is now GA.

    Thanks,

Reply
  • FormerMember
    +1 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    You can upload the new certificate on the firewall, but as soon as you replace the old certificate from VPN > Show VPN settings > SSL VPN > SSL server certificate with the new one, the remote user's certificate will become invalid, and they won't be able to log in to the Remote SSL VPN. 

    Remote SSL VPN user certificate will be re-generated based on the new certificate when the user downloads the new configuration from the user portal, so the process remains the same that you had to follow last time.  

    However, if you use Sophos Connect Client 2.0 for SSL VPN, this process of re-downloading the new config with the new certificate is automated. 

    Check out the following release note and configuration documents for more info: Sophos Connect 2.0 is now GA.

    Thanks,

Children
  • +1 in reply to FormerMember

    Thank you very much - had a look at Sophos Connect Client 2.0 but probably a bit too new to roll out based on the certificate TTL so will send the good news out to the remote VPN users!

    Good to know that the previous remote certs become invalid once the new one is in play (makes perfect sense though)

    Regards and thanks again for the prompt reply Harsh


    RR