My Default keyring is about to expire or has expired.
The Default keyring is only valid for two years.
They Default keyring is created on the SG unit when it is first configured, the keyring is only valid for two years.
Once the keyring has expired it cannot be renewed. The only way to recreate the Default keyring is to factory default the SG unit and this will then create the Default keyring again.
The other option is to create a new keyring and call it Default2 you can then change the services that currently use the Default keyring to use the new Default2 keyring the process for this can be followed below:
First you will want to create a new keyring by going to Configuration > SSL > Keyrings > click “Create”
You will then see the screen:
You will want to give the Keyring a name for the purpose of this article Blue Coat has used “Default2” The option “Private key visible” has been set to “Do not show key pair” this means that Private Key for the keyring cannot be viewed at all so it cannot be backed up on the SG unit. If you were to select “Show key pair” you would be able to read the Private Key via the CLI and you would then be able to back up the Private Key. If you were to select “Show key pair to director” then Director would be able to view the Private Key.
Once the Keyring has been created click “Ok” you will then be sent back to the previous screen where you can see the new Keyring you will then want to click “Apply”. You will need to select this new Keyring and then select “Edit”:
You will then see the following screen:
From this screen you will need to create a new Certificate by click on the “Create” option under Certificate:
Above is the data that Blue Coat has used to create the Certificate for the Default2 keyring, the CN value is the IP of the proxy that the Default2 keyring is used on. Once the relevant data has been entered you would then click “Ok” then “Close” then you will need to click “Apply”
Now you would need to locate services on the Proxy that are set to use the Default keyring, below I have shown where some of the common services are:
Configuration > Services > Management Services:
The HTTPS-Console will by default use the Default Keyring so this would need to be changed to use the Default2 keyring.
Configuration > SSL > SSL Client
In some cases you may have configured other services to use the Default keyring, so these would also need to be changed. For a list of other places SSL keyrings are referenced, see TECH250387.
This article contains information previously contained in article 000010612.
Imported Document ID: 000022731
Subscribing will provide email updates when this Article is updated. Login is required.