You use X.509 certificates for VPN connections and you are a loyal user of Astaro Security Gateway? Maybe you should check the expiration date of your CA (Certificate Authority) Certificate, because it has a lifetime of “just” 4 years. If you use X.509 certificates for VPN connections and imported your configuration from a V5 you should check the expiration date of your CA (Certificate Authority) Certificates.
Please login into the WebAdmin, go to IPSec VPN >> CA Management and hover over the blue i of the Verification CA. You will see something like this:
The entry Expires shows you, when your VPN connections with X.509 certificates signed by this CA will be dropped, because its expired. And they will be dropped minutious, I tested it today 🙂 Another good indicator for an expired Certificate Authority Certificate is a red error message “No verification CA !” for your host certificate:
Be prepared and generate a new Certificate Authority Certificate under IPSec VPN >> CA Management and sign your host certificate before the expiration date. The online help of ASG will guide you with a Basic Step-by-Step Setup paragraph.
Is this a bug? Is this irritating?
No, its a security feature! Four years is a very long time – usually nobody will run (or should run) a security device for this time without a major release change. Maybe you did, because we offered you always a seamless upgrade path from major version to major version (btw. without any extra costs) and your configuration including the certificates moved from release to release. So this is your chance to clean things up, to rethink your VPN setup and to wonder who are these people asking for a new certificate because the VPN connection is broken…
Maybe its also good reason to increase the key size of the Certificate Authority, you never know.
The original article/video can be found at CA Certificate expiration date