Summary
The Certificate Authority (CA) certificate used for the IPSec VPN is about to expire on our Smoothwall.
Problem
We have a large number of installs, so it will take too a long time to replace all the certificates. Is there a way we can still use the old certificates?
Solution
L2TP Connections
For L2TP connections, a new CA and certificates is needed. Once the CA expires, the L2TP connections will no longer connect. You do not need to use the CA to verify the certificate for authentication purposes. You can use the public key of the peer certificate on the CA instead; but for that to work, the public key of the peer certificate needs to be installed on the Smoothwall. See our help topic, Configuring an L2TP Road warrior Connection.
IPSec Subnet and Roadwarrior Connections
IPSec subnet and roadwarrior tunnels can still be made to work even if the CA and, in some cases, the certificates themselves expire.
- Export the public key of certificate VPN1 as a PEM and import it on Smoothwall 2. See our help topic, Importing and creating certificate authorities and their certificates.
- Export the public key of certificate VPN2 as a PEM and import it on Smoothwall 1.
See our help topics, Creating an IPSec tunnel and Configuring the IPSec road warrior connection.
Note: The certificate lists the new certificate but that the marker for Key is marked with a red cross. This is because the private key is not present; we have only imported the public key of the certificate.
- Change the Authenticate by option on both Smoothwalls to Certificate presented by peer. See our help topics, Creating an IPSec tunnel and Configuring the IPSec road warrior connection. The VPN subsystem will now use the peer certificate public key as comparison to authenticate the connection validity dates are ignored.