The SSH Tectia Manager Internal CA will automatically renew the host certificates. The Internal Root CA Host certificate validity period and Certificate renew marginal can be configured in Settings → PKI Settings → Internal CAs (Figure 8.7). The changes in the validity period will take effect the next time a new certificate is issued. Any changes made during the renewal marginal will take effect immediately.

Figure 8.7. Configuring Host certificate settings of Internal Root CA

SSH Tectia Manager initiates the certificate enrollment to the host once the host certificate enters the renewal period. The renewal process is otherwise equivalent to the initial certificate enrollment where a new private key and certificate request are generated on the host, except that SSH Tectia Manager also ensures that unauthorized host certificates are not issued automatically.

The certificate previously issued for the host is used as a reference, so that the new request must contain the same information or fewer identifying details. For example, if the host information (e.g. IP address) has changed and therefore the new certificate request does not match the previously issued certificate, automatic enrollment will fail for the host. However, if the enrollment settings have been changed so that the IP address is no longer specified in the Subject Alternative Name extension of the certificate, the automatic renewal will succeed as long as the other identifying information remains the same.

The automatic renewal fails and the administrator will have to re-enroll certificates to the hosts in the following situations:

To enroll a new host certificate for a host that already has an existing certificate, the certificate enrollment can be performed mostly in the same way as described in Server Host Certificate Enrollment. The only difference is the enrollment time option that will exclude hosts with valid certificates by default. In Configurations → Enroll certificates clear the check box to re-enroll certificates to all hosts in the selected group.

Certificate re-enrollment to hosts is needed if changes in the enrollment settings or the environment prevent automatic certificate renewal, or if the configuration of the Internal PKI itself has been changed, for example a new CRL DP is added, and the change should be reflected on the host certificates immediately.

The managed host certificate can be revoked in the Secure Shell software → Host certificate tab in the View host page of each managed host. The previous host certificate can be also revoked with an enrollment-time option when enrolling a new certificate.

The managed host certificate is revoked automatically in SSH Tectia Manager when the host entry is deleted from the Management Server. It is a recommended practise to revoke the certificate of a host that has been compromised, as both the host certificate and the identity of the managed host can no longer be trusted.

The SSH Tectia Manager Internal CA will publish a new CRL automatically once a host certificate has been revoked. Note however that the SSH Tectia Client and SSH Tectia ConnectSecure (or Connector in 4.x or 5.x) software will not retrieve the new CRL as long as the previous CRL is valid. In practice, it is likely that the new CRL is taken into use before the previous CRL expires. A new CRL is retrieved, for example, when a user logs in to a workstation again and initiates a new connection to an SSH Tectia Server.