When DX UIM hubs are connected via SSL tunnels, client certificates are issued from a tunnel server and distributed to the client hubs. These client certificates are “signed” by a built-in Certificate Authority which exists at the tunnel server. This Certificate Authority is in turn identified by a built-in Server Certificate that identifies the hub as the issuing authority for the client certificates.
When the certificate that underlies the Certificate Authority expires, all client certificates will also be considered expired, even if the client certificate itself has an expiration date in the future. The Certificate Authority certificate has a hardcoded expiration date that is 10 years from the date of creation.
The only way to renew the Certificate Authority certificate - whether or not it is already expired - is to recreate it from scratch; this will invalidate the client certificates which were previously issued. This, in turn, will stop the UIM hub tunnels from connecting until the certificates are replaced at the client side.
Once the server certificate has been recreated, a new client certificate must be distributed to each client hub, and the client tunnel must be reconfigured from scratch. In a sense, it is like "starting over" with the tunnels - connectivity will be lost, and each hub will need to be touched outside the context of UIM in order to restore connectivity.
This link describes the process for renewing the certificates manually, in a small environment this is not too much trouble but in a larger environment it can represent a large amount of work.
It is possible, using a combination of redundant tunnels and configuraton packages, to automate the distribution of client certificates without losing connectivity to the remote hubs. Attached to this KB Article you will find a document describing this process in comprehensive detail.
DX UIM - Any Version
Hub with SSL tunnels configured
Requirements:
- you will need an additional server/VM for a second tunnel server
- clients should be able to reach this second tunnel server (open firewalls as needed)
- clients should be using a "wildcard" tunnel certificate
Expiration of SSL Certificates for tunnel server Certificate Authority (CA)
Attached you will find a document that outlines this process in great detail.
Here is a high level overview of the process:
1. A second tunnel server is deployed within the UIM environment (firewall ports may need to be opened)
2. From this tunnel server, issue a "wildcard" client certificate that is valid for all clients
3. Using a UIM configuration package (also known as a "superpackage"), deploy a configuration change that adds the second tunnel connection to each client
4. Renew the CA (Certificate Authority) certificate on the tunnel server side by re-creating it (disable and re-enable tunneling).
5. Issue a new client certificate (wildcard) from the newly renewed tunnel server
7. Using a UIM configuration package, deploy a configuration change that replaces the client certificate (and potentially the password) on the first tunnel connection