Certificate Rotation

R6 introduces optional automatic remote agent certificate rotation. The gateway(s) can be configured to allow a maximum remote agent certificate age. When the remote agent’s certificate nears the maximum allowed age, the gateway signals that a new certificate is required and initiates a certificate rotation.

Certificate rotation is configured in the settings tab of the configuration area:

Open

Certificate rotation limits the potential exposure in a case where a remote agent certificate has been compromised. It does, however, also expose the possibility of an unexpected loss of communications if the certificate rotation handshake fails. For this reason, we have added a recovery path in order to recover from a failed certificate rotation. This functionality, called “break glass”, allows the one-time replacement of the gateway-stored remote agent certificate.

In order to initiate the break glass mode, right click on the remote agent and select the “Certificate Rotation Break Glass” option. Note that you must have the “Manage Certificates“ permission (otherwise the menu item will be disabled).

Open

In the break glass dialog, enter the number of hours which you will allow the new certificate to be provided by the remote agent. Choose a value which is as short as possible, but long enough that the remote agent should attempt to connect within this period.

If the remote agent does not connect within the allowed period of time, the break glass option will need to be performed again.

As soon as the remote agent successfully connects, the break glass mode will revert to being disabled and the regular certificate handshake will resume.