About the VPN Authentication Page

To access this page, click Administration > Certificate Management > VPN Authentication.

Note

The VPN Authentication page is displayed only for tenants with SD-WAN sites that are configured with PKI as the authentication type.

Tasks You Can Perform

View information about the existing certificates. See Table 2.
Change the method of renewing PKI certificates for a tenant. See Changing the Method of Renewing PKI Certificates for a Tenant.
Change the method of renewing PKI certificates for sites. See Changing the Method of Renewing PKI Certificates for Sites .
Update the CRL URL of certificates. See Updating the CRL URL of Certificates.
Change the CA Server URL and Password. See Change the CA Server URL and Password.
Manually renew certificates for sites. See Manually Renewing Certificates for Sites.

Changing the Method of Renewing PKI Certificates for a Tenant

In Customer Portal, the method of renewing PKI certificates for a tenant is configured when the tenant is onboarded.

You, as a tenant administrator, can change the method of renewing PKI certificates for an onboarded tenant from the VPN Authentication page.

To change the method of renewing PKI certificates for a tenant:

On the VPN Authentication page, click the Change link.
The Tenant Certificate Renewal Method page appears.
Note
Certificates will not be renewed for sites that are down or do not have connectivity to CSO at the current time.
By default, the Auto Renew Certificate toggle button is disabled. Click the toggle button to enable the automatic renewal of certificates.
If you do not enable the automatic renewal of certificates, they must be manually renewed. See Manually Renewing Certificates for Sites for more information.
If you enabled the automatic renewal of certificates, in the Renew Before Expiry field, select the period before the expiry date on which the certificates should be automatically renewed:
- 3 Days
- 1 Week
- 2 Weeks (default)
- 1 Month
Click OK to save your changes.
The Confirm Renew Certificate page appears.
Click Yes to confirm your changes.
A job is created to check the expiration date of certificates for all sites of the tenant. If a certificate is nearing the configured expiry date, the certificate is automatically renewed.
You are returned to the VPN Authentication page where a confirmation message appears.

Changing the Method of Renewing PKI Certificates for Sites

Note

If the certificate renewal method for a tenant is manual, the renewal method for certificates used by sites belonging to that tenant cannot be changed to automatic. You can change the renewal method of a PKI certificate belonging to a site only if the certificate renewal method for the tenant is automatic.

To change the renewal method of certificates for one or more sites:

On the VPN Authentication page, select one or more sites from the list of available sites and click Change Renewal Method.
A drop-down list appears.
From the list, choose the renewal method (Set Auto Renew or Set Manual Renew).
The Edit Certificate Renew Method page appears.
Click Yes to change the renewal method.
- If you set the renewal method as automatic, a job is created to check the expiration date of certificates for the selected sites. If a certificate is nearing the configured expiry date, the certificate is automatically renewed.
- If you set the renewal method as manual, certificates must be manually renewed. See Manually Renewing Certificates for Sites for more information.
You are returned to the VPN Authentication page, where a confirmation message appears.

Updating the CRL URL of Certificates

CSO obtains the latest list of certificates revoked by the Certificate Authority (CA), from the CRL (Certificate Revocation List) server, when you update the CRL URL of certificates.

To update the CRL URL of certificates:

On the VPN Authentication page, click Update CRL URL.
The Edit Tenant Certificate CRL page appears.
In the CRL Server field, update the CRL URL.
Click OK.
A job is created to download the latest CRL.
You are returned to the VPN Authentication page, where a confirmation message appears.

Change the CA Server URL and Password

You, as an SP administrator or OpCo administrator, specify the CA Server URL and password on the Administration Portal during tenant onboarding.

To change the CA Server URL and password for the tenant from the Customer Portal:

On the VPN Authentication page, click the Change link.
The Tenant Certificate Renewal Method page appears.
Specify the updated CA Server URL and Password in the CA Server URL and Password fields, respectively.
Click OK to save your changes.
The Confirm Renew Certificate page appears.
Click Yes to confirm your changes.
A confirmation message appears on the VPN Authentication page and the CA server URL and password are updated for all sites of the tenant.

Manually Renewing Certificates for Sites

To manually renew certificates for one or more sites:

On the VPN Authentication page, select one or more sites from the list of available sites and click Renew Certificate.
The Confirm Renew Certificate page appears.
Click Yes to manually renew the certificates.
A certificate renewal job is triggered and a confirmation message appears on the VPN Authentication page.

Field Descriptions

Table 1 provides information about tenant-level settings for a PKI certificate, on the VPN Authentication page.

Table 1: Tenant-level settings on the VPN Authentication page

Field	Description
`Certificate Renewal`
Current Tenant Setting	Renewal method currently configured for PKI certificates of the tenant.
Next Renew Check Time	If the Auto Renew Certificate toggle button on the VPN Authentication page is enabled, displays the date and time at which the next renewal check is scheduled. CSO updates the date and time for renewal every 24 hours. If the Auto Renew Certificate toggle button on the VPN Authentication page is disabled, displays N/A (not applicable).
Next CRL check time	Date and time at which the next CRL check is scheduled.
Last CRL update time	Date and time at which the CRL was last updated.

Table 2 displays details of the certificates on the VPN Authentication page.

Table 2: Details of certificates on the VPN Authentication page

Field	Description
Certificate ID	ID of the PKI certificate.
Used In	Name of the site with which the PKI certificate is associated.
Device	Name of the device with which the PKI certificate is associated.
Status	Displays the expiration status of the PKI certificate. If the Auto Renew Certificate toggle button on the VPN Authentication page is enabled, the value in the Status field depends on the renewal period that you selected. If the Auto Renew Certificate toggle button on the VPN Authentication page is disabled, the value in the Status field depends on the default expiration notification time for the certificate. If the expiration date of the certificate does not meet the expiration notification time yet, the Status field displays –. If the certificate has expired, the Status field displays Expired.
Expires On	Date and time at which the PKI certificate expires.
Renewal Method	Renewal method of the PKI certificate: Auto Manual

ON THIS PAGE