For a secure deployment, NetWitness Platform has installed internal RSA-issued certificates such as CA Certificate and Service certificates .
The validity for NetWitness Platform certificates are as follows:
CA root certificate for 11.x deployment is valid for 10 years
CA root certificate for 10.6.x deployment is valid for 5 years
Service certificates are valid for 1000 days
When these certificates are about to expire or have expired, you must renew and reissue the certificates as soon as possible to avoid any issues with your NetWitness deployment.
Note: You can view the expiration details, by executing the ca-expire-test-sh script on the NetWitness Server. For more information, see Reissue root CA security certificates on RSA NetWitness Platform 11.x and download the script.
CA Certificate Reissue
To renew the CA certificates, do the following:
- Before you upgrade from 10.6.x to 11.x, check the expiry and reissue those certificates. For more information, see the Reissue root CA security certificates on RSA NetWitness Platform 11.x.
- If you are on 10.6.x , check the expiry and reissue all the certificates. For more information, see the Reissuing security certificates on RSA NetWitness Platform 10.6.x.
Note: If you have Windows Legacy Collectors (WLC) in your deployment, renew the CA certificate of the WLC after renewing the CA certificate of the NetWitness Admin Server.
Service Certificate Reissue
To renew the Service certificates, do the following:
- If your hosts are on NetWitness Platform 11.3 or later, you must use the cert-reissue script. For more information, see the Reissuing Service Certificate .
- If your hosts are on 11.1.x or 11.2.x, you must upgrade the NetWitness Platform to 11.3 or later and run the cert-reissue script.
Note: If you have a host that is decommissioned or plan to remove, do not renew the certificate for that host.
You can reissue service certificates in the following two ways.
- All at once
Reboot NW Server host after the cert-reissue --host-all command completes.
- One at a time
Reissue the NW Server host certificates first, restart the host, then reissue each component host.
IMPORTANT: If you are reissuing certificates for each host individually (one at a time), you must reissue the certificate for the NW Server host before you can reissue certificates for any other host.
When to Use the --host-all Argument
Use the cert-reissue --host-all command string if you have a large number of hosts. Make sure that:
- All your hosts are running 18.104.22.168 or later.
- All your hosts are online.
- The NW Server host run time services are running.
The following tables lists the argument you can use to reissue certificates for all hosts at one time. See Troubleshooting Cert-Reissue Command for additional options you can use with Customer Support to troubleshoot errors.
Reissues certificates for all hosts at one time applying system health checks and restarts services.
Note: If even one host is not online, this command fails. If you have numerous hosts in your deployment, make sure that all hosts are up and running.
Caution: Make sure you do not run this argument on a node or host that you plan to remove or decommission.
When to Use the Individual Host Argument (--host-key <ID, IP, hostname or display name of host>)
The cert-reissue --host-key <ID, IP, hostname or display name of host> command reissues a certificate for an individual host. You may want to reissue certificates for an individual host if you have a small number of hosts.
Make sure that:
- Each host is running 22.214.171.124 or later.
- Each host is online.
- The NW Server host run time services are running
- You reissue certificates for the NW Server host first.
Note: You must run the command for the NW Server host first and reboot that host before you run the command for each component host.
Reissuing Certificates for All Hosts Except Windows Legacy Collection (WLC) host
Use the cert-reissue command to reissue certificates for all hosts except the WLC host with the following procedures.
Running the Cert-Reissue Command for All Hosts
- SSH to the NW Server host.
- Submit the appropriate command string.
Running the Cert-Reissue Command for an Individual Host
- SSH to the NW Server host.
- Submit the appropriate command string:
cert-reissue --host-key <ID, IP, hostname or display name of host>
Reissuing Certificates for a WLC Host
You must use the wlc-cli-client utility to reissue certificates for a WLC host (you cannot use the cert-reissue command). You also need to specify a number of WLC identification parameters with this utility.
Note: The certificates for a Windows Legacy Server host are stored in the following directories on the host.
Th validity period of WLC certificates can range from 2 to 20 years. If you rename or remove the files and restart NwLogCollector Service, NetWitness regenerates them.
/ssl/truststore.pem - is no longer used in 11.x
Every reissue of a certificate on the Windows Legacy server creates a new private key.
To reissue certificates on a WLC host.
- SSH to the NW Server host.
- Submit the following command string.
wlc-cli-client --cert-renew --host <wlc-host-ip-address> --port 50101 --use-ssl false --username <wlc-username> --password <wlc-password> --ss-username <deploy-admin-username> --ss-password <deploy-admin-password>
Successful Reissue Summary Report
When you run cert-reissue --host-all , the following summary report will be displayed if all hosts are online, all run time services are running, and all hosts on version 126.96.36.199 or higher.
Unsuccessful Reissue Summary Reports
You must contact Customer Support (https://community.rsa.com/docs/DOC-1294) to troubleshoot problems. You know there is a problem if any <host-id> does not return a SuccessStatus. Success indicates that certificates were reissued for a host. The following examples illustrate unsuccessful reissues.
Reissue Failed for Host and Aborted Command
The following three examples illustrate the failure of certificate reissuing for any hosts.
Reissue Certificate Partially Executed
The NW Server Host certificates were reissued but failed to properly distribute the reissued certificates to one or more component hosts.