Manually replacing ingress certificate with custom CA signed in vDefend Security Service Platform v5.0
search cancel

Manually replacing ingress certificate with custom CA signed in vDefend Security Service Platform v5.0

book

Article ID: 393667

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

This KB provides information on replacing the self-signed certificate with one signed by the custom CA.

Environment

vDefend SSP v5.0

Cause

SSP 5.0 does not provide a way to replace the default ingress certificate, which is signed by the system self-signed certificate authority (CA). 

Resolution

Before proceeding with manual Ingress certificate replacement, please review and understand the following caveats:

  • No automatic certificate verification: The user must ensure the certificate is valid, has the appropriate usage attributes, and includes the correct DNS entries for the Ingress FQDN.

  • Certificate is unmanaged by SSP: A manually imported certificate is not tracked in the SSP UI or trust management system. The original system-generated certificate will still appear in the UI. Expiration monitoring of the imported certificate is the user's responsibility.

  • Reversion before upgrade: Prior to any SSP upgrade, the manually added certificate must be reverted to the system-generated default certificate. Please contact Broadcom support for assistance in reverting back the certificate to the default before upgrading to any later versions.

    Certificate replacement via UI is fully supported from SSP 5.1 release onwards, removing the need for these manual steps.

Ingress Certificate Replacement is carried out mainly via three steps using the scripts attached to this KB.

This KB briefly outlines certificate replacement in the Security Services Platform (SSP). Please open a ticket with Broadcom Support for executing the following scripts in the environment.

  1. Replacing the SSP Ingress Certificate - Handled by: ssp-ingress-cert-replacement.sh

  2. Update the Certificate on the NSX Side - Handled by: ssp-cert-import-nsx.sh

  3. Update the Malware Prevention Service (MPS) Configuration(if applicable) - Handled by: ssp-cert-update-ExtendedSolutionConfig.sh

    Note: If MPS was already activated and SVMs were already deployed prior to the Ingress certificate update, this step is not required.

    When you activate Malware Prevention Service (MPS), post the Ingress certificate replacement; this step is required. This step updates the MPS configuration to reflect the custom-ca-signed-ingress certificate using this script.

    This script cannot be executed without MPS being activated.

Keep the following ready:

  • Ingress certificate chain (in reverse order: leaf certificate on top, followed by intermediate certificates, and finally the root certificate at the bottom)

  • Private key (ensure it is not encrypted)

  • SSP FQDN (Fully Qualified Domain Name)

  • SSP admin username and password

The certificate(.crt) and key(.key) need to be copied to the SSP-Installer VM in any directory using root credentials.

IMPORTANT: Note that ca.crt should contain the full certificate chain, starting from the ingress certificate and end with the root CA. The  certificate should have the appropriate DNS entry in the Subject Alternative Name extension, and other usage attributes) and if the SSP-I certificate is replaced, make sure the new certificate is copied to the control plane and worker nodes by following the steps mentioned in Known issue after replacing SSP-Installer VM's ingress certificate.  

Download the scripts that are attached to this KB and copy them to the same directory as the above.

After all the above are in place, kindly involve Broadcom Support for executing the scripts in the environment.

Attachments

ssp-cert-update-ExtendedSolutionConfig.sh get_app
ssp-cert-import-nsx.sh get_app
ssp-ingress-cert-replacement.sh get_app
Powered by Wolken Software