ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Renew Web Isolation Gateway Server Certificates Set To Expire

book

Article ID: 226479

calendar_today

Updated On:

Products

Web Isolation Web Isolation Cloud Threat Isolation Gateway

Issue/Introduction

If web isolation on-prem customers use auto-generated server certificates, they need to be aware of when they're set to expire and have a process to renew them.

Cause

Like any cert, WI auto-generated server certs have an expiry date and should be regenerated before their expiration date.

Environment

The script referenced in this article was only written for on-prem WI versions 1.13.x & 1.14.x customers who use auto-generated server certificates that are expired or close to expiry.

Resolution

  1. Initial Verification
    First, verify how many days left before server certificate expiry for the various gateways.
    MGMT GUI > system configuration > system certificates
    The script can be executed when there's 30 days or less before expiration.  If gateways have different expiration dates, the script will only renew gateway certs that have 30 days or less before expiration.

  2. Download & Run Script
    ssh into MGMT gateway and run the following syntax

    cd /tmp
    sudo fgcli fileserver download certificate_regeneration.tar.gz ./
    sudo tar -xzf certificate_regeneration.tar.gz
    cd certificate_script/
    sudo ./start.sh

  3. Re-verification
    MGMT GUI > system configuration > system certificates
    Any gateway certificates that were 30 days or less will now have a new expiry date of 1 year

Additional Information

Only for customers who use WI's auto generated server certificates instead of their own custom certificates and running WI 1.13.x or 1.14.x