SecureClient certificate renewal

topher · #1 (**permalink**) 2007-07-31

We have a number of users who's SecureClient certificate has recently expired or will expire soon.
1) should the SecureClient notify the user their certificate is expiring?
2) can the user use the Renew certificate button in SecureClient settings to renew the certificate once its expired?
3) how can i find out when users certificates & objects are due to expire without examining each user object?

any help appreciated.

RayPesek · #2 (**permalink**) 2007-07-31

If you're running current versions of everything, the certificate should automatically renew when it gets inside the renewal period, which is 60 days by default. I kicked mine up to 90 days.

There were bugs preventing this in some versions of both SecureClient and FW-1. If you're on R55 HFA15 or later, you should be OK on the gateway end.

Seems to me that SecureClient needs to be R55 HFA03 or R56 HFA01 or NGX R60 or later to be OK.

If they get inside 30 days, they will get a dialog box telling them the cert will expire in xx days and asking if they want to renew.

This all assumes the certificate is in a place where it can be written to, like a folder on their computer. I do not know if automatic renewal will work if it's in the local CAPI store.

Once a certificate is expired, no, they cannot renew it any more. You'll need to get them a new one somehow.

If you get set up for the web-based Internal Certificate Authority tool, the browser-based interface to the ICA that runs on TCP 18265 on the SmartCenter, you can use its Advanced Search to look at when the certs will be expiring.

Ray

topher · #3 (**permalink**) 2007-08-01

many thanks Ray,
we are running NGX R61 HFA01 and Secureclient is R60 NGX HFA1 although some users may be on R55. As far as i know all certificates are stored in the default folder and not part of capi.
I'll look into setting up the web-based Internal Certificate Authority tool.
How do you change the default renewal period?

RayPesek · #4 (**permalink**) 2007-08-01

I *think* it's in Global Properties, Remote Access. If not, go through the gateway properties and SmartCenter properties. It's pretty obvious.

Make sure your end users have "write" rights into that folder as well.

If you did not assign a site nick name, the R55 ones should still renew. The bug I mentioned in SecureClient caused the certificate renewal attempt to go to

http://nick name

instead of

http://<ip-address-of-gateway>

Ray

topher · #5 (**permalink**) 2007-08-08

many thanks Ray

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode