AppGate appliances require a valid certificate for the trust model used throughout the Collective. Any appliance with an invalid or expired certificate will not be able to communicate with the collective, which could prevent users from establishing connections to resources, or even prevent users from being able to authenticate.
Certificates for new appliances are valid for approximately 2 years and 3 months and will need to be renewed before their expiration date. Additionally, if any change is made to the appliance hostname, Unique Client/Admin hostname, the "Extra Hostnames In Certificate" field, or the networking interfaces, the appliance certificate must be renewed.
In certain situations, certificate renewal is triggered automatically when the change is committed. In other situations, the system administrator is reminded to renew the certificate manually.
NOTE: SDP appliance certificates should not be confused with the Controller CA certificate, which has a lifetime of 10 years. See the CA Certificate section of Managing Certificates (General Administration > Managing Appliances > Certificates) in your AppGate SDP Admin Guide for details.
NOTE: All links to the AppGate SDP Admin Guide are for the most recent supported version of AppGate SDP. If you are using an older supported version of SDP, you can find a link to your Admin guide here.
It is imperative that the appliance certificate is renewed before it expires. 30 days prior to the appliance certificate expiring, a warning is issued in the SDP Admin Dashboard, changing the status of the appliance and reporting the time and date of the expiration, as illustrated below:
As of AppGate SDP v6.0.0, the system will automatically renew any appliance certificate 24 hours before it actually expires. Users on older versions of AppGate SDP may need to rebuild appliances with expired certificates which may include restoring appliances from backups.
Checking SDP Appliance Certificate Expiration Dates
To check the expiration date for an appliance certificate, you will need to SSH to the appliance and run the following command:
sudo openssl x509 -in /mnt/state/pki/appliance-cert.pem -noout -text
There is a "Not After" field under "Validity" at the top of the output. That is the appliance certificate expiration date. Like in the example output below:
Validity
Not Before: Sep 2 14:25:55 2024 GMT
Not After: Dec 6 14:25:55 2026 GMT
Manually Renewing SDP Appliance Certificates
SDP admins must renew certificates manually before they expire. To renew the certificate:
Navigate to System > Appliances in the SDP Admin user interface.
Hover your mouse cursor over the appliance and click the Renew Certificate button, as illustrated below.
What to Expect at Renewal
When renewal occurs, the appliance is temporarily deactivated until the certificate is successfully renewed. At the SDP Admin System > Appliances tab, the appliance displays as "Not Activated" for a short period (no Admin action is necessary). When the certificate is successfully renewed, the appliance is again displayed as "Activated."
Any active Client connections are dropped, but they are automatically reconnected once the certificate has been renewed (or they will failover to the other Gateways in the same AppGate SDP Site, if any). In the case of a Controller, the appliance will briefly not receive new connections until the certificate renewal is completed.
Instructions for AppGate versions prior to v6.0 (EOL)
In the event of an appliance certificate expiring on one of the Controllers, a Gateway, or any other appliance, the easiest solution is to wipe the appliance and re-seed it from the SDP Admin user interface. Refer to the Manual Seeding of an Appliance section of Configuring a new appliance (General Administration > Managing Appliances > Configuring a new appliance) in your AppGate SDP Admin Guide for details.
NOTE: All links to the AppGate SDP Admin Guide are for the most recent supported version of AppGate SDP. If you are using an older supported version of SDP, you can find a link to your Admin guide here.
If you have a single Controller in your AppGate SDP Collective, and its appliance certificate expires, the trust throughout the Collective is lost, users will no longer be able to connect, and users will receive an “Invalid cert” error on their AppGate SDP Client. If this occurs, DO NOT attempt to renew the certificate using the SDP Admin user interface. To remedy this situation:
Stop ntp on the appliance.
Example: sudo systemctl stop ntpSet the date to a date just earlier than the certificate expiration date provided in the system warning.
Example: sudo date --set="27 NOV 2023 18:00:00"Renew the appliance certificate from the SDP Admin user interface. See Manually Renewing SDP Appliance Certificates above.
Wait for the system to return to a green/healthy state (you may need to sign into the SDP Admin user interface again).
Verify that the date/time on the appliance is correct.
Example: root@username:~# date
Tue Dec 7 15:45:04 UTC 2021
If you have any problems or questions regarding this process, please contact AppGate SDP Support.