VMware VeloCloud SD-WAN all software releases
The VCO issues certs that expire after 90 days but renew automatically every 30 days by default if there's communication between VCO and the VCE.
All tunnels are torn down and re-established with the new key upon renewal, independently of the number of links.
This is the expected behavior operation.
Option 1: Configuring the "edge.certificate.renewal.window" and "gateway.certificate.renewal.window" system properties on VCO can be used to set the renewal window outside of business critical hours. Operators can define multiple windows to restrict the days and hours of the day during which Edge renewals are enabled. Please refer to below example :
{
"enabled": true,
"windows": [
{
"enabled": true,
"timezone": timezone for first window,
"days": days for first window,
"start": start time for first window,
"end": end time for first window
},
{
"enabled": true,
"timezone": timezone for second window,
"days": days for second window,
"start": start time for second window,
"end": end time for second window
}
]
}
Please refer to below document for detail attributes requirement.
Option 2: Certificate validity period can be changed by VCO system properties "ca.edge.certificate.life.days" and "ca.gateway.certificate.life.days".
Note: A certificate validity period that is too long will increase the risk of leakage.
Option 3: Certificate renew threshold can be adjusted by VCO system properties "ca.edge.certificate.life.threshold.percent" and "ca.gateway.certificate.life.threshold.percent".
Note: Renew edge certificates when this percentage or less of certificate life remains.
For shared VCOs, related VCO system property is disabled by default and can't be modified. The certificate can be renewed manually out of critical business hours:
Once it's been manually renewed, the next automatic renewals will occur closer to the desired time window.