[RayPesek]

If you're running current versions of everything, the certificate should automatically renew when it gets inside the renewal period, which is 60 days by default. I kicked mine up to 90 days.

There were bugs preventing this in some versions of both SecureClient and FW-1. If you're on R55 HFA15 or later, you should be OK on the gateway end.

Seems to me that SecureClient needs to be R55 HFA03 or R56 HFA01 or NGX R60 or later to be OK.

If they get inside 30 days, they will get a dialog box telling them the cert will expire in xx days and asking if they want to renew.

This all assumes the certificate is in a place where it can be written to, like a folder on their computer. I do not know if automatic renewal will work if it's in the local CAPI store.

Once a certificate is expired, no, they cannot renew it any more. You'll need to get them a new one somehow.

If you get set up for the web-based Internal Certificate Authority tool, the browser-based interface to the ICA that runs on TCP 18265 on the SmartCenter, you can use its Advanced Search to look at when the certs will be expiring.

Ray