Replacing SSL certificates

The NetProfiler secures the following SSL connections using certificates:

  • MNMP – NetProfiler communicating with other Riverbed appliances

  • Identityd – NetProfiler communicating with the ADConnector program to obtain user information from Microsoft Active Directory domain controllers

  • Apache – NetProfiler communicating with users’ web browsers

The certificates that are currently in use can be replaced by:

  • Regenerating the certificate – The NetProfiler generates a new certificate.

  • Replacing the certificate – The current certificate can be replaced by a CA-signed or self-signed certificate that you obtain or generate outside of the Riverbed appliance.

There are slightly different procedures for replacing each type of certificate.

Replacing the MNMP SSL certificate

Before you replace the MNMP certificate, go to the Administration > Devices/Interfaces page Devices tab and identify all the Cascade Sensor, Flow Gateway and NetShark appliances that connect to this appliance. These should be noted because after the MNMP SSL certificate in this appliance has been replaced, each of those appliances must have their Trusted Certificates list updated before they can connect to this appliance.

The connected appliances are displayed at the top level of the list on the Devices & Interfaces (Tree) tab. The tree view may be disabled to improve performance if the list is very large. Click the Show all Devices and Interfaces button to display the complete list. Note that the appliance performance may be impacted while a very large list is displayed.

Regenerating the MNMP SSL certificate

Replacing the MNMP certificate with a CA-signed certificate

Replacing the MNMP certificate with a self-signed certificate

Replacing the Identityd SSL certificate

The Identityd certificate secures communication between the ADConnector program and the NetProfiler. The ADConnector program transfers user identity information from Microsoft Windows Active Directory domain controllers to a NetProfiler.

The subject Common Name in the Identityd certificate must be:   CN=Mazu NetProfiler: Identity

The appliance checks the validity dates when the certificate is loaded. Afterwards, it ignores the expiration date.

Regenerating the Identityd SSL certificate

Replacing the Identityd certificate with a CA-signed certificate

Replacing the Identityd certificate with a self-signed certificate

Replacing the Apache SSL certificate

The Apache certificate secures the NetProfiler appliance while it is communicating with users’ web browsers. After you replace the Apache certificate it will be necessary to restart your browser to avoid browser errors. Additionally, all other users that are connected to the web user interface of this appliance should restart their browsers to avoid browser errors.

Regenerating the Apache SSL certificate

Replacing the Apache certificate with a CA-signed certificate

Replacing the Apache certificate with a self-signed certificate

SSL certificate requirements

Encryption key management

Appliance security