Replacing the MNMP certificate with a CA-signed certificate
To minimize the time that the NetProfiler appliance is inaccessible, it is recommended that you set up all the Trusted Certificates first, and then replace the MNMP private key in the NetProfiler.
Prerequisites
A CA-signed certificate may include a hierarchical chain of certificates from several certification authorities (the certification chain). All these CA certificates must all be added as individual entries in the Trusted Certificates section of this appliance and all the Riverbed appliances that connect to it.
Depending on your CA, you may receive these as a concatenation in one file and need to separate them before placing them in the Trusted Certificates sections. If you add more than one CA certificate at a time, the appliance will use the first one it finds, which may not be the correct one.
Alternatively, your CA may provide certificates in separate files. In this case, ensure that you have each certificate in the entire CA chain and not just the end entity certificate.
The end entity certificate and its private key must be pasted into the Local Credentials section of the NetProfiler appliance, and the entire CA certificate chain must be pasted into the Trusted Certificates section of the NetProfiler appliance and every Sensor, Sensor-VE, Flow Gateway and NetShark appliance that connects to it.
The certificates must include the following certificate extensions:
-
X.509v3 Subject Key Identifier
-
X.509v3 Authority Key Identifier
-
X.509v3 Extended Key Usage
TLS Web Client Authentication, TLS Web Server Authentication
These are necessary in case the CA certificate is renewed and in case more than one CA certificate has the same subject.
Part 1 – Trusted Certificates
For each Riverbed appliance that is to communicate with the NetProfiler appliance,
- Copy the first certificate of the CA certificate chain, including the BEGIN and END statements. The certificate will be in a format such as:
-----BEGIN CERTIFICATE-----
MIIBsTCCARqgAwIBAgIJAOqvgxZRcO+ZMA0GCSqGSIb3DQEBBAUAMA8xDTALBgNVBAMTBE1henUwHhcNMDYxMDAyMTY0MzQxWhcNMTYwOTI5MTY0MzQxWjAPMQ0wCwYD05BPDxKbb8Ic6HBPDxKbb8Ic6HWpTJpzs
...
ehyejGdw6VhXpf4lP9Q8JfVERjCoroVkiXenVQe/zer7Qf2hiDB/5s02/+8uiEeqMJpzsSdEYZUSgpyAcws5PDyr2GVFMI3dfPnl28hVavIkR8r05BPDxKbb8Ic6HWpTZMA0GCSqGSIb3DQEBBAUAMA8xDTNMTYwOTI5MTY0MzQxBA
-----END CERTIFICATE-----
-
Go to the Administration > Appliance Security > Encryption Key Management page Trusted Certificates tab.
-
Click Add New Certificate to open a window into which you can paste the CA-signed certificate.
-
Paste the certificate into the Certificate field.
-
Optionally, enter a description to be displayed in the Trusted Certificates list. Leave it blank if you want to use the certificate’s subject. This can be changed later using the Change Entry action.
-
Click OK and confirm that the certificate is listed on the Trusted Certificates tab.
-
Repeat Steps 1 through 6 for each CA certificate in the chain until all CA certificates in the chain have been added as separate entries on the first Riverbed appliance that communicates with the NetProfiler.
-
Then perform Steps 1 through 7 on all other Riverbed appliances that connect to the NetProfiler.
-
After all the connecting Riverbed appliances have all the CA certificates, perform Steps 1 through 6 on this appliance.
Part 2 – Local Certificate and private key
After each certificate in the CA chain has been added to each appliance in your Riverbed deployment as a trusted certificate, the final step is to add the end entity certificate and the private key as the Local Credentials for your NetProfiler.
-
Go to the Administration > Appliance Security > Encryption Key Management page Local Credentials tab.
-
In the row for the MNMP SSL Certificate, choose Change Key/Cert from the Actions menu.
-
Paste both the MNMP certificate and the private key into the Key/Cert field.
-
Click OK and confirm that the MNMP certificate is listed on the Local Credentials tab.
Note: Ensure that you include both the private key and the end entity certificate with their BEGIN and END statements. If you paste in just the certificate, you will get a certification error.
They will be in the format:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7CkgI/yEMu0td
...
6Q1V08AwLd4fVrOGvmOeZKk=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAPy15+KVLMaXMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
...
xnRRtSStpDwBRwrPBX9wiih7X13I2n2Qs/c0Gh9OVhKqsmcoZmnHjCQrdQ==
-----END CERTIFICATE-----
If you subsequently view the Local Credentials, you will not see the private key. It is never visible except when you initially paste it into the Change window.