Security

Reply
Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Onboard device certificate renewal

Hi All,

 

I have read in the 6.3 release notes that there is now support for notifying users that their certificates are going to expire. 

 

What happens from here, can the user re-enrol their device by going back to the registration portal and get a new certificate?

 

I thought that if you did this, the existing profile and certificate were pushed back out to the device. Is there a period in which a certicate will be renewed and reissued instead of just being reissued?

 

Thanks

Scott

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Onboard device certificate renewal

Correct.

 

Once there is 20 % of time left on the certificate it will take you directly to the provisioning page. Here is an example of an email that you will see.

 

It will still run the provising profile since you will need to get the updated cert to the client. The cert itself will have an expiration date in it and that will need to be updated

 

Screen Shot 2014-06-30 at 10.55.33 PM.png

 

Screen Shot 2014-06-30 at 10.51.05 PM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: Onboard device certificate renewal

Thanks Troy that makes sense.

 

When the user is within this 20% period, is there an attribute or flag that is searchable in CPPM?

 

With regard to the expiry, a little off track, is there any way to set an explicit expiry date for all certs so that they are issued with a period relative to when they enrolled.

 

We are looking at a process where students can enrol per semester and have to re-enrol at the start of next session. problem currently is if we set the expiry to say 20 something weeks, if a user enrols late they will not have to re-enrol until after start of next session.

 

this expiry notification process certainly helps.

Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: Onboard device certificate renewal

i think we need a dedicated button on this forum to "Give Kudos to Troy" :-)

 

 

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Onboard device certificate renewal

This was floating around at Aruba just today. :)

 

I haven't tried either so you will need to test...

 

So the original qestions the SE was asking is " A school wants to expire all students certs at the end of the year on Dec 24"

 

You could in fact expire all Onboard certificates on a specific date - the way to do it would be to calculate the appropriate timeout value in the Onboard authorization policy, and return it as the Session-Timeout attribute.

 

This value would be:  (desired expiration time MINUS the current time in seconds).

 

Something like the following SQL should do the trick:

 

# select FLOOR(EXTRACT(EPOCH FROM '2014-12-23T00:00:00' - NOW())) AS session_timeout;

 

 

 

 session_timeout

-----------------

        15149339

(1 row)

 

 

 

You can edit the highlighted date to whatever you like...

 

 

OR a more advance way....

 

You could write this SQL instead if you want certificates to last until the next 23 December.  Who wants to have to reconfigure this stuff on Christmas Day?!

 

To use a different date in the year, change the month (yellow) and day (green) in the following SQL:

 

SELECT FLOOR(EXTRACT(EPOCH FROM (((EXTRACT(MONTH FROM NOW()) >= 12 AND EXTRACT(DAY FROM NOW()) >= 23)::INT + EXTRACT(YEAR FROM NOW())) || '-12-23')::TIMESTAMP - NOW())) AS session_timeout;

 

How this works:

  • If the current date is before December 23 then use the current year;
  • Otherwise, use the next year;
  • Compute the difference between the specified year's date of December 23 and the current time [this will always be positive];
  • Return the answer in seconds.

So on December 22 you will get a certificate lifetime less than 1 day ... On December 24 you will get a certificate lifetime of 364.something days.

 

Just for completeness, the certificate will expire around midnight on the specified day.  If you want to choose a particular time during the day then append it after the -12-23 part, e.g. '-12-23T12:00' for noon.  (For complete correctness you should also update the condition to check for times after midnight and before the specified expiration time ... but this is left as an exercise for the interested reader!)

 

Or

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Onboard device certificate renewal

There should be an arubapedia How-To page coming soon. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 358
Registered: ‎02-22-2011

Re: Onboard device certificate renewal

thanks.

 

A little long winded but still effective.

 

Would be great to have an alternative selection to the CA certificate lifetime in days for those of us who aren't SQL savvy,

 

I've posted an idea on the portal for this.

 

Scott

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Onboard device certificate renewal

Also remember that you are not limited to just 1 Root CA so you could onboard Students with one CA that has a lifetime of 90 days and Staff to 1 year, but the problem with that is if the user Onboards at the end of the Year the cert would be valid for the lifetime of the Cert. 

 

Lic is based on device certs not Root CAs :)

 

For example in my lab Im running 2 Roots.

 

1. Local lab users    365 Days

2. RAP users             7 Days

 

Screen Shot 2014-06-30 at 11.29.19 PM.png

 

 

You do have the option also to purge all certs from a certian Root.

 

 

 

Screen Shot 2014-06-30 at 11.30.40 PM.png

 

 

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 45
Registered: ‎11-22-2013

Re: Onboard device certificate renewal

Sifus,

 

My Onboard CA wil expire soon. should I just click 'Renew Root certificate' or I need to create new CA and ask all the user to reonboard the devices again?

Search Airheads
Showing results for 
Search instead for 
Did you mean: