VIP Enterprise Gateway reverts to a different SSL certificate after upgrading to 9.11
Article ID: 366824
Updated On:
Products
VIP Service
Issue/Introduction
After upgrading to version 9.11, the VIP Enterprise Gateway reverts to using a different SSL certificate, even if the certificate is expired.
Environment
VIP Enterprise Gateway 9.11
Cause
VIP Enterprise Gateway utilizes Jetty version 10. If Jetty detects a mismatch between the certificate CN and the URL, it will attempt to find and use a certificate in the keystore where the CN matches the URL, even if that certificate is expired.
Note: If the SSL certificate cannot be removed after the IN USE status shows NO, please refer to: Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway. Certificate is In Use and cannot be deleted.
Resolution
- Create a new SSL certificate where the Common Name (CN) matches the full host and domain name of the VIP EG server. (example: vipeg.example.com). Follow these steps to install the SSL certificate, and these steps to enable the SSL certificate.
- Delete any expired, unused, or mismatched SSL certificates. (It is not necessary to remove the CA certificates.) If an error occurs when trying to delete the certificate, close all browser windows and try again in an incognito\private browser window. If this still fails, contact VIP support for assistance with deleting the certificate from the keystore manually. See Unable to remove a VIP or SSL Certificates from VIP Enterprise Gateway
Feedback
Yes
No
Powered by
