The security of the AppGate ZTNA Collective is initially based on a 10-year, self-signed root certificate. For more advice on managing CA certificates, see the Internal Certificates section.
The initial Controller in a Collective creates a CA certificate that has a 10-year lifetime; you should generate the next CA certificate well before it expires. You can also upload the next CA certificate - based on an externally generated root certificate. We recommend generating the internal CA certificate.
The Certificate Authority page (System > Certificate Authority) displays the following at the top of the page:
Time left on Current CA. The amount of days left on the CA.
Next CA status. The status of the next CA.
The lower half of the page is made up of the Current CA and Next CA tabs.
Current CA
Details of the current CA are shown including details such as the organization and validity dates. When the certificate contains any name constraints these will also be shown.
The Current CA tab also displays the Fingerprint. This fingerprint is used in the client profile and allows the client to verify the authenticity of the Controller. This can be copied if required.
Use the Actions button to select following options:
Download CRL File. Downloads the CRL file.
Download Certificate. Downloads the certificate as it may be required when running remote scripts, such as for sdpctl. It is also available for download directly at: https://mycontroller.com:8443/ui/global-settings/ca
Refer to Admin UI, sdpctl, and Device and client controls for more information.
Next CA
The next CA should be used in parallel with the current CA until it has been fully distributed. There are two options for the next CA under the Actions button:
Generate. You have the option of setting the certificate's Subject and Validity period (years). The next CA certificate can have a validity period of up to 20 years. Use this option to set an appropriate time period.
Upload. You need to create and upload a P12 file, add the password (if required), and optionally Enable CRL (refer to Internal Certificates for more details).
During the transitional phase, the next CA certificate is distributed to every client that connects. Sufficient time should be allowed to ensure all clients have connected at least once; a client will only pick up the next CA certificate at sign-in or when the claims token is renewed.
Appliances in the Collective use the same process, but this should be almost immediate. New client profiles generated after this time will include the next CA certificate.
NOTE
Write access to "TrustedCertificatePath" is recommended when using the headless client.
During this time you are also able to copy the next fingerprint and download the next CA Certificate just like the current CA certificate.
Activate next CA. To activate the next CA you first need to add a new license for the next CA.