How does Portnox handle ZTNA certificate expiration and renewal for SSO-enabled web applications?
ZTNA uses digital certificates to create a trusted connection with SSO‑enabled web applications. These certificates are valid for 3 years and must be renewed before they expire. If a certificate expires, all users will lose ZTNA-based access to the application until a valid certificate is available.
To manually replace the certificate during a maintenance window:
- If the application allows you to upload more than one certificate:
- Generate a new certificate in Cloud before the current certificate expires.
- Upload the new certificate to the application.
- Keep the new certificate inactive until you are ready to switch.
- When the old certificate expires (or during a maintenance window), activate the new certificate in Cloud.
- Activate the new certificate in the application.
- Optionally, after confirming that the integration is working, delete the old certificate from Cloud and the application to avoid confusion.
Note: Cloud allows up to two certificates in the application integration at the same time. If two are already present, remove an expired or inactive certificate before adding a new one. - If the application allows you to upload only one certificate:
- Generate a new certificate in Cloud.
- During a maintenance window, upload the new certificate to the application, replacing the existing one.
- Activate the new certificate in Cloud.
- Optionally, after confirming that the integration is working, delete the old certificate from Cloud to avoid confusion.
We recommend creating and maintaining internal documentation that describes the exact steps required to update certificates for each application you use with Cloud. Having these steps written down in advance will make the replacement process faster, clearer, and less likely to cause errors when a certificate needs to be renewed.