How to update an expired passive-attack-protection-only keyring
search cancel

How to update an expired passive-attack-protection-only keyring

book

Article ID: 166525

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

The passive-attack-protection-only keyring is generated when the appliance starts for the first time and not generally used in production. The keyring is tagged to a Device Profile called “passive-attack-protection-only” and is sometimes used for Secure ADN encryption with no endpoint authentication.


Environment

  • Edge SWG

Cause

Keyring lifetime time is 2 years.

Resolution

This keyring is not used in the production and can be replaced with self-signed certificate .

This requires access to system with OpenSSL utility installed.

  1. Create and edit as desired the "openssl.cnf" file contents below:


    [ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no

[ req_distinguished_name ]
C  = US
ST = California
L  = San Francisco
O  = Broadcom Edge SWG passive-attack-protection-only-keyring
OU = Engineering
CN = localhost

[ v3_ca ]
basicConstraints = critical, CA:TRUE

  2. Create the private key and certificate:


    openssl req -x509 -nodes -days 730 -newkey rsa:2048 \
  -keyout private.key \
  -out certificate.crt \
  -config openssl.cnf \
  -extensions v3_ca

  3. Merge private key and certificate into single file:


    cat private.key certificate.crt > inline.txt

  4. Update the passive-attack-protection-only-key keyring on the Edge SWG:


    #conf t
#(config)ssl
#(config ssl)inline keyring show passive-attack-protection-only-key --EOF--
    < CONTENTS OF inline.txt file >
--EOF--

  5. Verify that keyring shows new expiration date(Configuration -> Keyrings):



 

Additional Information

If Health Monitoring does not clear Critical alert this may require device restart to reflect the changes.

Powered by Wolken Software