Re: Default certificate is going to expire

spacemeb · ‎10-06-2021

Hello,

We have 3 certificates on ESA along with the default.

We noticed that soon it's going to expire.

From certconfig, there is no option to update the default certificate.

What should we do?

Thanks,

MEB

Ken Stieers · ‎10-06-2021

IIRC the default will auto rotate itself.
But if you're not using it (and current versions throw a message on cert relate pages about the fact that you are using it), it won't matter...

spacemeb · ‎10-08-2021

You may be right, it may auto-renew itself.

However, as best practise, i read that if you use somewhere the demonstrate certificate (usually it says where is used once you go to network > certificafes) you should use self-signed cert instead of it, if your public ones are not related with the hostname that you have specify for each course of action.

Regularly, you can see where the certificate is used on interfaces, listeners, destination controls etc.

So, we will use a self-signed to be on the safe side, but will also let the demo to see what will happen.

Hope it helps the next guy/gal who will have the same issue.

Meb

dmccabej · ‎10-11-2021

Hello,

The demo certificate is a dummy self-signed certificate and is not really intended to be used outside of initial deployment. You can create your own self-signed certificate to use in place of the demo. Of course, the ideal scenario would be to get your certificate signed by a trusted third party so that it can be verified. There's no reason not to have a trusted and signed certificate nowadays as they're quite cheap and easy to obtain.

As far as demo renewal, it has been done for specific versions in the past, and if expired, then during an upgrade; however, from what I've heard, that is no longer the case, and it will no longer auto-renew moving forward.

Thanks!

-Dennis M.

Ken Stieers · ‎10-11-2021

Thanks for that bit of insight about auto-renewal Dennis!