The security of the Appgate SDP Collective is initially based on a 10 year self-signed root certificate. For more advice on managing the CA certificates refer to Managing Appliances > Certificates.
Certificate Authority related tools
The initial Controller in a Collective creates a CA certificate that has a 10 year lifetime; you should generate the next CA certificate well before it expires. There is also the option for you to upload the next CA certificate - based on an externally generated root certificate. We recommend generating the internal CA certificate.
Current CA
Details of the Current CA are shown including typical details such as Subject and validity dates. When the Certificate contains any Name Constraints (which might be the case when uploading a CA) these will also be shown.
Fingerprint
This fingerprint is used in the Client profile and allows the Client to verify the authenticity of the Controller. This can be copied if required.
Download CA Certificate
This CA certificate maybe required when running remote scripts (i.e. SDPCTL). It is also available for download directly at: https://mycontroller.com:8443/ui/global-settings/ca
Refer to Admin UI, sdpctl and Device and Client controls.
Next CA
The Next CA should be used in parallel with the Current CA until it has been fully distributed. There are two options:
Generate - You have the option of setting the Certificate's Subject and Validity period (years). The next CA certificate can have a validity period of up to 20 years. We recommend that you use this option to set an appropriate time period.
Upload - You need to create and upload a P12 file, add the password (if required) and you have the option to Enable CRL (refer to Internal Certificates for more details).
During the transitional phase, the next CA certificate is distributed to every client that connects. Sufficient time should be allowed to ensure all clients have connected at least once; a client will only pick up the next CA certificate at sign-in or when the claims token is renewed.
Appliances in the Collective use the same process, but this should be almost immediate. New client profiles generated after this time will include the next CA certificate.
NOTE
Write access to "TrustedCertificatePath" is recommended when using the headless Client.
During this time you are also able to copy the next fingerprint and download the next CA Certificate just like the current CA certificate.
Activate next CA
To activate the Next CA you first need to add a new license for the Next CA.