vDefend SSP Alarm: Platform certificate expiring or expired

Products

VMware vDefend Firewall VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

Problem: A certificate monitored by SSP is expiring or has expired

Symptom: Alarms being raised on certificate expiring or expired.

Impact: Some features of Security Services Platform may not work as intended once the certificate expired

Environment

vDefend SSP >= 5.0

Cause

The security service platform monitors a few certificates and raise alarms when they are expiring in 30 days, 7 days or has been expired. The main certificate types being monitored for expiration are:

Image Registry certificate
SSP Web Proxy certificate

Resolution

Depending on the type of the certificate that the alarm is raised for, they can be updated using the following steps:

Certificate Type	Steps to update the certificate
Image Registry Certificate	Image registry certificate is used to identify the Security Service Platform Installer's (SSPI) endpoint. To replace the certificate, log into the SSPI's management web interface and go to "System/Certificate" tab on the left. There are 2 ways to replace the certificate: Using the CSR workflow: Generate a new certificate signing request (CSR) by clicking on the CSR tab and "Generate CA CSR" button. Provide the desired properties. Download the .PEM CSR file. Provide it to a certificate authority (CA) that your organization uses and have it signed. Acquired the newly signed certificate in PEM format Click on the Certificates tab in System/Certificate page. Then click the 3-dot menu on the left of the certificate in the page and select "Replace Certificate from CSR". Upload the signed certificate in PEM format to replace the certificate. Using the certificate replacement workflow: Generate a certificate and key pair. The certificate can be either self-signed or CA-signed. However, it needs to include the proper Subject Alternative Name's DNS property to identify the SSPI's fully qualified domain name (FQDN), In the Certificate tab of the System/Certificate page, click on the 3-dot menu on the left of the certificate in the page and select "Replace Certificate". Upload the new certificate and its private key in PEM format in the page. After successful update of the SSPI certificate, the new certificate should be propagated to the Security Service Platform automatically.
SSP Web Proxy Certificate	Acquire the new certificate from the proxy provider. Import the certificate by going to Security Service Platform's web managment page, click on the System → Certificates on the left and select the "Certificates" tab. Click on the "IMPORT" button and select "Import Certificate". Provide the new certificate as "Used By" SSP Web Proxy with a name that you can identify from the previous SSP Web Proxy certificate in the page. There's no need to provide the key for the certificate. Once the certificate has been imported successfully. Update the Internet Proxy Server configuration to use the new certificate. The old certificate can then be deleted afterward. (Deletion through UI will be supported soon.)

Certificate Type

Steps to update the certificate

Image Registry Certificate

Image registry certificate is used to identify the Security Service Platform Installer's (SSPI) endpoint. To replace the certificate, log into the SSPI's management web interface and go to "System/Certificate" tab on the left. There are 2 ways to replace the certificate:

Using the CSR workflow:
- Generate a new certificate signing request (CSR) by clicking on the CSR tab and "Generate CA CSR" button. Provide the desired properties.
- Download the .PEM CSR file. Provide it to a certificate authority (CA) that your organization uses and have it signed. Acquired the newly signed certificate in PEM format
- Click on the Certificates tab in System/Certificate page. Then click the 3-dot menu on the left of the certificate in the page and select "Replace Certificate from CSR". Upload the signed certificate in PEM format to replace the certificate.
Using the certificate replacement workflow:
- Generate a certificate and key pair. The certificate can be either self-signed or CA-signed. However, it needs to include the proper Subject Alternative Name's DNS property to identify the SSPI's fully qualified domain name (FQDN),
- In the Certificate tab of the System/Certificate page, click on the 3-dot menu on the left of the certificate in the page and select "Replace Certificate". Upload the new certificate and its private key in PEM format in the page.

After successful update of the SSPI certificate, the new certificate should be propagated to the Security Service Platform automatically.

SSP Web Proxy Certificate

Acquire the new certificate from the proxy provider. Import the certificate by going to Security Service Platform's web managment page, click on the System → Certificates on the left and select the "Certificates" tab. Click on the "IMPORT" button and select "Import Certificate".

Provide the new certificate as "Used By" SSP Web Proxy with a name that you can identify from the previous SSP Web Proxy certificate in the page. There's no need to provide the key for the certificate. Once the certificate has been imported successfully. Update the Internet Proxy Server configuration to use the new certificate.

The old certificate can then be deleted afterward. (Deletion through UI will be supported soon.)