VIP Enterprise Gateway reverts to a different SSL certificate after installing a new SSL certificate
search cancel

VIP Enterprise Gateway reverts to a different SSL certificate after installing a new SSL certificate

book

Article ID: 366824

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

VIP Enterprise Gateway 9.11 or later reverts to using a different SSL certificate, even if the certificate has expired. 

Environment

VIP Enterprise Gateway 9.11 and later 

Cause

VIP Enterprise Gateway 9.11 utilizes Jetty version 10. The security requirement requires the certificate’s Common Name (CN) and Subject Alternative Name (SAN) to be the Fully Qualified Domain Name (FQDN) of the Enterprise gateway server to ensure valid HTTPS connections. If the CN does not match, it will attempt to match and present any SSL certificate (expired or valid) in the keystore that does. If the SAN does not match, the browser may show security warnings.

Do not use your organization's name as the common name (CN).

Note: If the SSL certificate cannot be removed after the IN USE status shows NO, please refer to: Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.

Resolution

  1. When creating a new SSL certificate, the Common Name (CN) and SAN attribute should be the full host and domain name of the VIP EG server. (example: vipeg.example.com). Follow these steps to install the SSL certificate, and these steps to enable the SSL certificate.
  2. After the new SSL certificate is uploaded to the VIP Enterprise Gateway, install the issuing coot and (if applicable) intermediate certificates on the 'Trusted CA certificate' tab.
  3. Delete any old, expired, or otherwise unused SSL certificates from your VIP Enterprise Gateway to prevent them from being used.
  4. If an error occurs when trying to delete the certificate, close all browser windows and try again in an incognito\private browser window. Reboot the server if necessary.
  5. If removing the cert still fails. contact VIP support for assistance with deleting the certificate from the keystore manually. See Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway

 

 

Powered by Wolken Software