Restoring default and custom certificates
12.1 and later Backup and restore process restores only certificates that are not expired rather than restoring all certificates.
During config system backup, certificates are automatically backed up.
For custom certificates, restore it from the backup file always.
For default certificates, check the expiration date of the certificate in the backup file and the current target system. If the certificate in the backup file is newer than the current certificate on the system, restore it. If the certificate in the backup file is earlier than the current certificate on the system, don't restore it.
The following table lists the scenarios to show the behavior for default and custom certificates when they are backed up from the source version and restored to the target version.
Type of certificate | Source version | Target version | Restore process |
---|---|---|---|
Default certificate, custom certificate, or default and custom certificates | Certificate is expired. | Certificate is expired or not expired. | No changes in target. |
Default certificates | Certificate is not expired. | The expiration date of a certificate in target is later than the expiration date of the certificate in source. | No changes in target. |
Certificate is not expired. | The expiration date of certificate in target is earlier than the expiration date of certificate in source. | Certificate in target replaces the certificate in source. | |
Certificate is not expired. | Certificate is expired. | Certificate in source replaces the certificate in target. | |
Certificate is not present. | Certificate is present. | No changes in target. | |
Certificate is not expired. | Certificate is not present. | Certificate in source is added to the keystore in target. | |
Custom certificates | Custom certificate is not expired. | The expiration date of a custom certificate in target is later than the expiration date of custom certificate in source. | No changes in target. |
Custom certificate is not expired. | The expiration date of a custom certificate in target is earlier than the expiration date of custom certificate in source. | Custom certificate in target replaces the custom certificate in source. | |
Custom certificate is not expired. | Custom certificate is expired. | Custom certificate in source replaces the certificate in target. | |
Custom certificate is not present. | Custom certificate is present. | No changes in target. | |
Custom certificate is not expired. | Custom certificate is not present. | Custom certificate in source is added to the keystore in target. | |
Default and custom certificates | Custom certificate is not expired. | Default Guardium certificate is not expired. | Custom certificate overwrites default. |
Default certificate is not expired. | Custom Guardium certificate is expired. | Default Guardium certificate is added to the keystore in target. |