Security

Reply
Occasional Contributor II

Onboard CA will soon expire

Sifus,

 

My Onboard CA wil expire soon. should I just click 'Renew Root certificate' or I need to create new CA and ask all the user to reonboard the devices again?

Re: Onboard CA will soon expire

Can you renew root certificate with existing key?
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Onboard CA will soon expire

How to do that? By clicking the renew cert button?







Acelync Networks Sdn Bhd
Unit 1002, 10th Floor,
Block A, Damansara Intan,
No.1, Jalan SS 20/27,
47400, Petaling Jaya, Selangor
Tel : 03-7727 7000
Fax : 03-77270707
H/P : 012-5681162
Email: shaiful@acelync.com

Re: Onboard CA will soon expire

Ok, I've tested this in my lab. I renewed my CPPM CA, by just hitting renew, and my existing client certs were still valid.

 

Might be worth double checking with TAC though...

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: Onboard CA will soon expire

So you can renew your Onboard Root CA; which will (very likely, I'm not 100% sure) require your clients to onboard again before the original CA expires. This is because the current client certificates are still signed by the existing (and expiring CA).

 

Did you already define your own CA? Or are you using the default CA which can be recognized by the name 'Local Certificate Authority'?

 

If you deployed the default CA, I would create a new CA with a long run time; I typically take 10, 15, 20 years or more to prevent your CA to expire again on a short term. Also you can put information about your company/organization in, so if people see the certificate they can recognize it's associated to you.

 

When you have done that (either renewed, or new CA), you can during authentication check if the client certificate has been issued by the old expiring CA and push those users in the onboarding role again so they will be guided through the process.

 

If you want to have a definitive answer, I would advise you to work with Aruba TAC.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Onboard CA will soon expire

Nice..that means no need to reonbord right..?

Regards,
Shaiful Adli Bin Yaakob

Network Engineer




Acelync Networks Sdn Bhd
Unit 1002, 10th Floor,
Block A, Damansara Intan,
No.1, Jalan SS 20/27,
47400, Petaling Jaya, Selangor
Tel : 03-7727 7000
Fax : 03-77270707
H/P : 012-5681162
Email: shaiful@acelync.com

Re: Onboard CA will soon expire


Herman Robers wrote:

So you can renew your Onboard Root CA; which will (very likely, I'm not 100% sure) require your clients to onboard again..

 ...............

If you want to have a definitive answer, I would advise you to work with Aruba TAC.


No, Herman is saying you will likely have to re-onboard.

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Onboard CA will soon expire

that means...

 

i can renew the CA by clicking 'renew' but...the existing clients would still have to reonboard due the old cert existing in the endpoint.

 

the advantage by doing this way is we can tell the user to slowly reonboard untill the existing CA cert expire right.

 

the other way is to change CA, but this way will require the user to be reonboard immiediatly ..

 

am i correct?

 

 

Re: Onboard CA will soon expire

No, at least in the situation where you have a second/new CA, you can still use the expiring CA as both will be trusted for client certs.

 

I once created a new CA with longer expiration and 4096 bit keys (which can be considered more secure), and configured new clients to get a certificate from the new CA. But both CA's were trusted, and clients could have certificates from either CA.

 

After some testing, I conclude that in fact it does not make a difference at all, as if you renew your existing CA, an additional entry of the Root CA will be created in the trust list:

root-renewal.png

It might be that the root has the same key-pair, but that does not matter either. 

 

As soon as the old CA will expire, all certificates signed by that CA are likely to become invalid; and by that time your clients need to be re-onboarded and have a client certificate that is signed by a still valid CA that is in the trust list. If we had created a new CA, it would be similar, just the naming is different.

 

My choice would be to create a new CA, and name it different as well to ease troubleshooting. If the signing CA has a different name, you can quickly see if clients have a cert from the old, or from the new CA. If you renew, you cannot easily see as the naming is the same.

 

You are likely to need onboard all clients before the existing CA expires, regardless the choice renew CA or create a new CA. As the current CA is likely to have a short running time, and I could not find a way to change the expiration period when renewing, I would go for a new CA and set the expiration of the root CA to 10, 15 or 20 years (and take the highest possible when in doubt).

 

For official advice, please contact Aruba TAC as they can look with you to your system and get a better view of your case.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: Onboard CA will soon expire

Your choice seem to be wiser selection but in order to get both CA is trusted, the client has to be onboard first and old the existing clients can't be connected due to provisioning profile is pointing to the new CA. 
For the new clients should be no issue. I'm more worried about the existing onboarded clients 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: