Zero trust says my cert is expiring, and that's it's in use. But by what?
I generally understand little about certificates. I've never thus far used Zero Trust but today I went to it and got a notification that my cert was expiring, and I should generate a new one. This I've done, but it says the old one is "in use". But it doesn't say by what. Do I need to do anything here, or update my CF domains/workers/pages apps or whatever? I realise this is vague but any help appreciated!
5 Replies
Thanks, I'll have a read. So do I have to actually do anything? Is it significant that that expiry notification appeared only whn I went to ZT > Tunnels, and it didn't show anywhere in the CF dash?
So I made a cert, am I good? This is confusing
It's not clear. I spoke to @thomasgauvin yesterday about this and even he wasn't sure what this was about.
Hi! Gateway PM here and apologies for the confusion.
This certificate rotation is necessary for anyone who has:
a) TLS decryption turned on (check ZT Settings > Network > Scroll a bit)
OR
b) DNS policies with block pages enabled. (check ZT Gateway > Firewall Policies > DNS)
If you aren't using Gateway DNS or HTTP policies at all, this should not apply to you (and you can turn TLS decryption off). If you are using enforcing DNS or HTTP policies, you need to download and install the new CA on your devices and then mark it as In-Use after that is complete.
Agree we could be smarter about some of the notifications which we are working on improving for future iterations. It's somewhat hard to target customers based on their actual usage / deployment so we went for a more conservative approach for all accounts based on the criteria above.
Based on your initial message, you may not be using Zero Trust so my guess is that those notices are showing because TLS decryption is turned on.
It very much could be clearer - I'm referring only to the notification in the CF dash, not an email (I didn't get an email). For a non-expert user like me who had never previously been to Zero Trust, then visited it and immediately got this warning, it wasn't at all clear what it was about or what it would affect, if anything, in other parts of my CF account.