I can see that the VPN client certificate is valid for 20 years but still I’m curious to understand more about the renewal process and how is this supposed to happen because we may need to invalidate client certificate if it gets exposed somehow ?
Expiring certificates doesn’t have any security benefit. If a certificate is compromised allowing the compromised certificate to remain valid for a few weeks compared to indefinitely won’t change the outcome. It will only create security problems as the client would need to be designed to regularly transmit new certificates creating more opportunities for it to be compromised. The same understanding has been made with expiring passwords which are no longer recommended.
If you’re concerned with VPN profiles being compromised using device authentication will prevent any connections from unauthorized devices even if the VPN profile is compromised. Each connection will be authorized by the TPM/Secure Enclave on the client. These chips store keys physically isolated from the system.
1 Like