Default keyring has expired or is about to expire

book

Article ID: 168289

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

My Default keyring is about to expire or has expired.

Cause

The Default keyring is only valid for two years.

Resolution

The default keyring is created on the SG unit when it is first configured but the keyring is only valid for two years. Once the keyring has expired it cannot be renewed. The only way to recreate the default keyring is to factory default the SG unit. This will then create the Default keyring again.

The other option is to create a new keyring (for the purpose of this article we have named it “Default2”) then change the services that currently use the default keyring to use the new Default2 keyring instead.

The process for this can be followed below:

First, create a new keyring by going to Configuration > SSL > Keyrings > click “Create” 


User-added image
 

You will then see the screen:


User-added image
 

Give the keyring a name (again we have used Default2). In this example, the option “Private key visible” has been set to “Do not show key pair” this means that the Private Key for the keyring cannot be viewed at all and cannot be backed up on the SG unit. If you were to select “Show key pair” you would be able to read the Private Key via the CLI and you would then be able to back up the Private Key. If you were to select “Show key pair to director” then Director would be able to view the Private Key.


User-added image
 

Once the Keyring has been created click “Ok”. You will then be sent back to the previous screen where you can see the new keyring. Select “Apply” on the Proxy to save the changes made this far. 

Next, select the new keyring and select “Edit”:


User-added image


You will then see the following screen:


User-added image
 

From this screen you will need to create a new Certificate by click on the “Create” option under Certificate:


User-added image


Above is the data that the proxy has used to create the certificate for the Default2 keyring. The CN value is the IP of the proxy that the Default2 keyring is used on. Fill in the rest of the relevant data then click “Ok” then “Close” and finally select “Apply”.
 
Next, in the Management Console, navigate to Configuration > Services > Management Services:


User-added image
 

Change the HTTPS-Console "Keyring" dropdown from the "default" keyring to the new "Default2" keyring.


Next, ensure the new Default2 keyring is selected in the "Keyring" dropdown under Configuration > SSL > SSL Client:


 User-added image


In some cases you may have configured other services to use the default keyring, these also need to be changed. For a list of other places SSL keyrings are referenced, see TECH250387.

Attachments