UIM - how to renew a CA server certificate for HUB tunneling
search cancel

UIM - how to renew a CA server certificate for HUB tunneling

book

Article ID: 265416

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

You want to renew a CA certificate for a HUB tunnel server configuration (the old one is expiring - by default 10 years expiration):

 

Environment

Release : 20.4

UIM HUB Tunneling

Cause

This article is informational and describes the procedure for CA certificate renewal due to the coming expiration. 

Resolution

We can distinguish 2 types of certificates in the Tunnel setup : 

1. Server Certificate ( CA and Server certificate) - this certificate is created along with the CA certificate on the HUB which is the "server

2. Client Certificate - the certificate that you generate on the Server, but then you copy to other "client" or "peer hubs" in the "client configuration section".

Note: When following these steps to renew the expiration of the CA Certificate, this will cause the invalidation of all issued client certificates and tunnels will stop connecting.

You must then replace the client-side certificates with newly-issues ones to get the tunnels to connect again.

The following KB describes how to replace client certificates which are already expired but the same process can be used to replace ones that have been invalidated:     KB127959

This may represent a large amount of manual work.  In order to reduce the work necessary, prior to the expiration of the CA Certificate, you may perform the following operation:

1. Set up a second tunnel server 
2. Connect each tunnel client to this new tunnel server -- now each tunnel client will have two active tunnels.
3. Now you can reset/renew the CA Certificate on the first tunnel server, which will invalidate all the client certificates and cause the initial tunnels to the first server to fail, but the second tunnel will still be active.
4. At first the clients may appear red or disappear from IM, but after about 1-2 hours the tunnel routes should stabilize and you should be able to contact the clients again via the second tunnel route.
5. Once this happens, you can issue new client certificates from the first tunnel server, and then reconfigure the clients by replacing the certificate in the first tunnel connection, because you will still be able to configure the remote hubs using IM across the secondary tunnel.

 

Plan of Action: 

1. Renew the "server and CA certs" in the server configuration. In order to do that you need to uncheck the "active" checkbox, then click "ok" and close this hub configuration window. : 

 

2. Now, you need to reopen "hub" configuration, go to "tunnels" and check the "active" checkbox- the following window will pop up: 

 

3. When you click "yes" the new Certificate Authority Setup window will pop up - and here is where you create/renew the main CA certificate : 

 

 

4. Once this cert is created, you should see a new expiration date on the "server's configuration" page 

5. Now, you just create a new certificate (wildcard or separate cert for each client hub) and import it into the "clients configuration" of each hub (the article describing this procedure is attached to the "additional information" section) 

This procedure is something like a complete re-initialize of tunneling. (the procedure you do when you want to configure tunneling from scratch.) 

 

 

Additional Information

This process can be automated to some extent using a superpackage/configuration package. See this KB for more detail.

Additional KB's related to the tunnel (client) certificates can be found below:

 

The tunnel certificate will expire ... how to replace it before it does?

https://knowledge.broadcom.com/external/article?articleId=185384

Hub tunnels lost connection due to certificate expiration and no longer appear in IM

https://knowledge.broadcom.com/external/article?articleId=127959