In this section:

Introduction

This topic explains how to renew the PKI certificates. The PKI certificates are signed for a defined period of time. Certificates are subject to expiration. When a certificate is about to expire, a new certificate with a prolonged validity must be created and the existing certificate in the SBC needs to be replaced.

Procedure

Note

The certificate replacement procedure may affect the service since you will need to replace the old certificate with the new one. New sessions are not established during the certificate replacement. The stable sessions are maintained.

Local Certificates

  1. Generate the new local certificate by performing the steps used to generate the old certificate. Use the same Subject and SAN/CN details used in the old certificate and use the old certificate CSR file to generate the new certificate. To import the local certificates refer to PKI Security - CLI - Local-InternalCertificates.
  2. Sign the new local certificate by the same CA that was used to sign the old certificate with a prolonged validity.
  3. Import the new local certificate to SBC and enable it.

    set system security pki certificate <NEW PKI Certificate Name > fileName <p12 filename> type local passPhrase <passPhrase> state enabled
  4. Find all TLS profiles with the current local certificate.
  5. Schedule a maintenance window to replace the old certificate with the new certificate in all TLS profiles that use the old/expired certificate and delete the old certificate.

    set profiles security tlsProfile <Existing TLS Profile Name> serverCertName/clientCertName <NEW PKI Certificate Name>
    
    set system security pki certificate < OLD PKI Certificate Name> state disable
    
    delete system security pki certificate <OLD PKI Certificate Name>
    commit

Local-Internal Certificates

  1. Generate the new local-internal certificate with the same procedure used to generate the old certificate. Use the same Subject and SAN/CN details used in the old certificate to generate a new CSR or use the old certificate CSR file to generate the new Local-Internal certificate. To create and configure a new Local-Internal Certificate, refer to Generating PKI Certificates.
  2. Sign the new Local-Internal certificate by the same CA that was used to sign the old certificate with a prolonged validity.
  3. Import the new Local-Internal certificate to the SBC and enable it.
  4. Find all TLS profiles where the currently used Local-Internal certificate, which is going to expire is assigned.
  5. Schedule a maintenance window to replace the old certificate with the new certificate in all TLS profiles and delete the old certificate.

Remote Certificates

  1. Generate the new remote certificate with the same procedure used to generate the old remote certificate.
  2. To import remote certificates, refer to PKI Security - CLI - Local-InternalCertificates.

Import the new remote certificate to the SBC and enable it.

set system security pki certificate <PKI Certificate Name - 2> fileName <der filename> type remote state enabled


Note

If any of the SBC local and the local-internal certificates are signed by a CA whose certificate is going to expire and is installed as a “remote” certificate in the SBC, the user needs to renew the corresponding local and local-internal certificates and sign by the new remote OR root CA certificate.