Is there a way to extend the CA certificate used for the IPSec VPN?

Article #:

Product

Castle

1568

 

 

Summary

The Certificate Authority (CA) certificate used for the IPSec VPN is about to expire on our Smoothwall.

Problem

We have a large number of installs, so it will take too a long time to replace all the certificates.

Is there a way we can still use the old certificates?

Solution

L2TP Connections

For L2TP connections, a new CA and certificates is needed. Once the CA expires, the L2TP connections will no longer connect. You do not need to use the CA to verify the certificate for authentication purposes. You can use the public key of the peer certificate on the CA instead; but for that to work, the public key of the peer certificate needs to be installed on the Smoothwall.

IPSec Subnet and Roadwarrior Connections

IPSec subnet and roadwarrior tunnels can still be made to work even if the CA and, in some cases, the certificates themselves expire.

1. Export the public key of certificate VPN1 as a PEM and import it on Smoothwall 2 — see https://help.smoothwall.net/Latest/Content/modules/tunnel/cgi-bin/vpn/cacertfile.htm
2. Export the public key of certificate VPN2 as a PEM and import it on Smoothwall 1

Note: The certificate lists the new certificate but that the marker for Key is marked with a red cross. This is because the private key is not present; we have only imported the public key of the certificate.

3. Change the Authenticate by option on both Smoothwalls to Certificate presented by peer — see https://help.smoothwall.net/Latest/Content/modules/tunnel/cgi-bin/vpn/subnets.htm and https://help.smoothwall.net/Latest/Content/modules/tunnel/cgi-bin/vpn/rw.htm

The VPN subsystem will now use the peer certificate public key as comparison to authenticate the connection — validity dates are ignored.

Attribution:

Last updated:

Author:

Contributions by:

23 August 2016

 

Tanja

 

Copyright © 2000-2016 Smoothwall All rights reserved.