Updated on 2024-12-04 GMT+08:00

Replacing Certificates of a VPN Gateway

Scenario

When certificates of a VPN gateway of the GM specification expire or become invalid, you need to replace the certificates.

After certificates of a VPN gateway are replaced, the customer gateway must use the corresponding new CA certificate to renegotiate with the VPN gateway. Otherwise, VPN connections will be disconnected.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner of the page, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  5. Click the S2C VPN Gateways tab.
  6. Locate a VPN gateway of the GM specification, and choose More > View/Upload Certificate in the Operation column.
  7. Click Replace and set parameters as prompted.
    Table 1 describes the parameters for replacing certificates of a VPN gateway.
    Table 1 Parameters for replacing certificates of a VPN gateway

    Parameter

    Description

    Example Value

    Certificate Name

    This parameter cannot be modified.

    The value must be the same as the original certificate name.

    New Signature Certificate

    Certificate used for signature authentication to ensure data validity and non-repudiation.

    Use a text editor (such as Notepad++) to open the signature certificate file in PEM format, and copy the certificate content to this text box.

    Enter both a signature certificate and its issuing CA certificate.

    -----BEGIN CERTIFICATE-----

    Signature certificate

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    CA certificate

    -----END CERTIFICATE-----

    New Signature Private Key

    Private key used to decrypt the data that is encrypted by a signature certificate.

    Open the signature private key file in KEY format as a text file, and copy the private key to this text box.

    -----BEGIN EC PRIVATE KEY-----

    Signature private key

    -----END EC PRIVATE KEY-----

    New Encryption Certificate

    Certificate used to encrypt data transmitted over VPN connections to ensure data confidentiality and integrity. The CA that issues the encryption certificate must be the same as the CA that issues the signature certificate.

    Use a text editor (such as Notepad++) to open the encryption certificate file in PEM format, and copy the certificate content to this text box.

    -----BEGIN CERTIFICATE-----

    Encryption certificate

    -----END CERTIFICATE-----

    New Encryption Private Key

    Private key used to decrypt the data that is encrypted by an encryption certificate.

    Use a text editor (such as Notepad++) to open the encryption private key file in KEY format, and copy the private key to this text box.

    -----BEGIN EC PRIVATE KEY-----

    Encryption private key

    -----END EC PRIVATE KEY-----

  8. Select "I have read and understand the preceding risk, and would like to replace the certificates anyway." and click OK.