3 Replies Latest reply: May 19, 2015 2:56 AM by Kevin Alavoine RSS

Anyone using CMC Certificate Authority to manage Steelhead certificates?

Danny Mongrain

I've been using this new feature introduced in 8.6.0 and it works well.  It simplifies my SH <> Mobile Secure peering as I don't need to  import each SH's SSL cert onto the SMC manually.  Basically the CMC becomes its own certificate authority.

 

Its quite simply to setup, but I found the documentation not very clear about it, mainly what to do on the SMC.

 

Here's a summary of the steps:

  1. Enable the CMC as a CA with  (configure › Certificate Authority).  Warning: I tried to use 2048 bits CA but some SH had a previously existing 1024 bits certificate and refuse a new 2048 bits certificate.  I had to roll back to a 1024 bits CA.
  2. Generate certificates for your Steelheads (Manage › Appliances › Appliances Operations: Replace (Generate) Peering certificates) and do a policy push to all.  (That policy must include the Secure Peering configuration page.) 
  3. From now on all your SH will automatically trust all other SH that were signed by the same CMC.

 

On the SMC

  1. you must add the CMC CA certificate as a CA (Configure › SSL › Certificate Authorities: Add a New Certificate Authority). 
  2. Then you specify that it shall trust any peer SH which certificate was signed by this CA (Configure › SSL › Peering: Trust Existing CA (select the CMC CA you just created the step before).

 

Hope this help

-Danny

  • Re: Anyone using CMC Certificate Authority to manage Steelhead certificates?
    Kevin Alavoine

    This could be about to come in handy for me, I think.

     

    We've just added an SMC to our CMC that I didn't realize was on our network, and I'm seeing a lot of SSL errors for endpoints that are using it.  The SMC wasn't a factor when I set SSL peering on our SteelHeads, so now I've got to add a licence and the SH certs to it.

     

    Will let you know how I get on

    • Re: Anyone using CMC Certificate Authority to manage Steelhead certificates?
      Danny Mongrain

      your situation is very similar to mine.  The Certificate Authority option on the CMC (SCC) is definitely the way to go.  Configure it once then forget about it

       

      Danny

      • Re: Anyone using CMC Certificate Authority to manage Steelhead certificates?
        Kevin Alavoine

        Right.  Well.  Think I'm halfway there...

         

        CMC:

        • CMC CA configured with 2048 bits
        • SSL peering policy set to "Trust All Peers"
        • Replace peering certs on CMC, pushed to all SHs

        SMC:

        • Added SSL licence (kind of important)
        • Added CMC cert text in SSL>Peering>New Trusted Entity
        • Policies>"Policy">SSL>Enable/High/SSL&Secure/Trust All Pre-Configured
        • Update Policy

         

        All my SteelHeads now show their peers in a "peering trust" list, so they're all still trusting one another, but the SMC isn't in the peer list...  Newly-connected Mobile clients are still showing "sslinner: Trust Failure with Remote Steelhead" errors.  Must be missing something, but not sure what...

         

        *edit

        I found out what I was missing.  Didn't have the SteelHead Mobile trust in my peering policy, so I copied the signing cert text from SMC, added it as a Mobile Trust, and now everything appears to be funcitonging correctly and I'm not seeing SSL errors any more.

         

        Basically, add Danny Mongrain 's walk through to the normal setup docs and you're set

         

        Cheers!