Automatic certificate renewal for non-admin tenant certificates deletes the certificate chain when certificate sharing is enabled
search cancel

Automatic certificate renewal for non-admin tenant certificates deletes the certificate chain when certificate sharing is enabled

book

Article ID: 397920

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • Certificates in non-admin tenant lose their signing Intermediate/Root CA certificate references upon automatic renewal through a certificate management profile if the signing certificates are in the admin tenant and shared_ssl_certificates is enabled in the controller properties.

Environment

  • Any deployment with shared_ssl_certificates enabled allowing non-admin leaf certificates to be linked to Intermediate/Root certificates in the admin tenant and having Certificate Management Profiles for automatic renewals.

Cause

  • When we renew a certificate, we scan all of the certificates in the tenant, and then look to see if, as a result of this update, any of them get modified.
  • In the same process, we look for the issuer certificate, and if the issuer isn’t present in the same tenant, we clear the field and set the name.
  • In environments with shared_ssl_certificates, the issuer certificate is in the admin tenant, so this logic would incorrectly clear the reference links because it thinks the Intermediate/Root certificates no longer exist.

Resolution

Powered by Wolken Software