This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by NetWitness experts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Reissue root CA security certificates on NetWitness 11.x

Article Number

000001344

Applies To

RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: All RSA NetWitness Platform hosts (appliances)
RSA Version/Condition: 11.x (This article applies to customers who have upgraded RSA NetWitness Platform hosts from older versions of 10.x to 11.x.)
Platform: CentOS 7

    Issue

    Customers who upgraded their RSA NetWitness Platform hosts from older versions of 10.x to 11.x may have internal RSA-issued security certificates that are close to expiring, or which have already expired.

    Cause

    Older Certificate Authority (CA) and internal security certificates are still in use when upgrading the RSA NetWitness Platform from 10.6.x to 11.x, even though the original expiration dates of these certificates were not updated and may be close to their expiration date.

    Resolution

    Caution: Do not run the script to update the Root CA certificates in the following situations:

    • If you are running RSA NetWitness 11.5.x, ensure to follow the instructions under the section, Procedures for 11.5.0 and 11.5.0.1 Only. If these steps are skipped, it could require a full reimage of NetWitness.
    • If your RSA NetWitness 10.6.x certificates have expired, go to Reissuing Security Certificates on RSA NetWitness Platform 10.6.x.
    • RSA NetWitness Platform no longer supports Endpoint Hybrids, as of 11.3.0, only Endpoint Log Hybrids. If you have an Endpoint Hybrid in your environment, please contact RSA NetWitness Support for assistance. 

    Consider the following guidelines before the Root CA Update:

    • Prepare for adequate downtime of your environment. Depending on the number of hosts in your deployment, this procedure can take several hours to complete. Plan your change window accordingly.
    • Services are restarted during the reissue process, causing data capture interruptions. After reissuing the root CA certificate, the root CA reissue script restarts all the services.
    • Renew certificates for all components in the same change window. Do not break up the process across multiple change windows.
    • If you have Windows Legacy Collectors (WLC) in your deployment, renew certificates for them within the same change window. See the separate instructions below for Windows Legacy Collector (WLC) hosts.

    If you updated from an older version of RSA NetWitness Platform 10.x to 11.x, check and reissue the internal RSA-issued security certificates.

    Prerequisites

    Caution: If you upgraded to RSA NetWitness 11.4 or later, skip these prerequisite steps and go to the Procedures section below. A version of the required RPM is already installed on the RSA NetWitness Platform, and it contains the required scripts for the procedure.

    1. Download root-ca-update.zip from the Certificate Re-issue Tool for RSA NetWitness 11.x page on RSA Link.
    2. Upload the contents to your RSA NetWitness (Admin) server /root directory using any available file transfer software (FileZilla, WinSCP, and so on).
    3. SSH to the RSA NetWitness Server, log in as root, and extract the root-ca-update.zip content.

    If RSA NetWitness 11.3.2 or later is already installed on your RSA NetWitness Platform, skip step 4 and go to the Procedures section below. A version of the RPM mentioned in step 4 is already installed.

    1. (This step applies only to RSA NetWitness Platform versions before 11.3.2) Install the RPM on the RSA NetWitness Server using the following command yum install -y rsa-nw-root-ca-update-<version number>.noarch.rpm.

    If RSA NetWitness 11.3.2 or later is already installed on your RSA NetWitness Platform, skip this step and go to the Procedures section below. A version of the RPM mentioned in this step is already installed.

    # yum install -y rsa-nw-root-ca-update-1.0.3.0-1910171844.1.030c45b.el7.noarch.rpm

     

    Procedures

    Determine if the systems may have internal RSA NetWitness Platform security certificates that are about to expire or have already expired.

    1. Locate the ca-expire-test.sh attached to this article.
    2. Run the certificate expiration test on the RSA NetWitness Server: 
      # sh ca-expire-test.sh --version 11.x
    3. If the test runs successfully, the following output is displayed. The selected number below shows the number of days until the certificates are due to expire.  
      NW Platform CA Certificate Expiration Date:  Aug  8 20:03:27 2020 GMT
NW SSCA Expiration Date:                     Aug 12 15:17:48 2028 GMT
NW Node Certificate Expiration Date:         Jul 11 20:45:35 2022 GMT

#########################################################

You must re-issue certificate within 297 days

#########################################################
RSA highly recommends you update your certificate if it is expired, or about to expire. 
Failure to do so will result in a system wide outage.
Please review the Knowledge Base Article this script was attached to for what steps to take.
You can contact NetWitness Support at the following address https://community.rsa.com/community/support
    RSA highly recommends you update your certificate if the Platform CA or SSCA CA certificate is expired, or about to expire. Failure to do so will result in a system-wide outage.
     

    Procedures for 11.5.0 & 11.5.0.1 Only

    Follow this section if the NetWitness environment is on 11.5.0 or 11.5.0.1. Version11.5.1 and later do not require this section to be followed, jump directly to Update the Certificate.
    1. Download the fix-launch-keystores.zip from Certificate Reissue JAR for 11.5.x
    2. Copy the zip file to only the NW Admin, ESA, and any NW Endpoint Log Hybrid servers within the environment.
    Warning: The downloaded file must be used on the three server types that are mentioned in this step if that particular server type is in the environment. Failure to do so may lead to a complete reimage of that machine type.
    1. Once the zip file has been copied to the NW Admin, ESA, or NW Endpoint Log Hybrid server, make a backup copy of /var/netwitness/root-ca-update/fix-launch-keystores.jar file on the server.
    # cp /var/netwitness/root-ca-update/fix-launch-keystores.jar /var/netwitness/root-ca-update/fix-launch-keystores.jar.ORIG
    1. Delete the original fix-launch-keystores.jar from the /var/netwitness/root-ca-update/ directory.
    # rm /var/netwitness/root-ca-update/fix-launch-keystores.jar
    1. Unzip the downloaded fix-launch-keystores.zip.
    # unzip fix-launch-keystores.zip
    1. Copy the unzipped fix-launch-keystores.jar file to the root-ca-update directory and rename it to fix-launch-keystores.jar
    # cp fix-launch-keystores.jar /var/netwitness/root-ca-update/fix-launch-keystores.jar
    1. Repeat the above steps until all NW Admin, ESA, and NW Endpoint Log Hybrids are updated with the replacement jar file.
    2. Once all required systems are updated, proceed to the Update the Certificate section below.
     

    Update the Certificates

    In the following procedure, you run a script that updates the Root CA and node certificates on the RSA NetWitness Server and the other hosts, then restarts the services. Before you run the script, you perform a precheck, which prints the validity and integrity of the certificates.
    1. Precheck: SSH to the RSA NetWitness (Admin) server and run the following precheck and save the output to a file:
    # keytool -printcert -file /etc/rabbitmq/ssl/truststore.pem | grep -Ei "owner|valid"  >> /var/log/netwitness/cert-renew-precheck.out
    1. Run the nw-root-ca-update script to clean up the Puppet CA in truststore.pem by running the following command:
    # nw-root-ca-update --clean-imports
    1. Run the nw-root-ca-update script to create the CA certificate by running the following commands:
    1. To update the root CA certificate on the RSA NetWitness Server: 
      # nw-root-ca-update --renew-ca
      • ​​​​​​This prompts for your deploy_admin password.
      • This may take a few minutes to complete. Wait until it completes before running the next command.
      • If you see the following message, your root CA certificate updated successfully on the RSA NetWitness Server: 
        *** root CA update successful, run --synch-host to update component hosts ***
    1. To synchronize the reissued root CA certificate with all the other RSA NetWitness hosts:
    # nw-root-ca-update --synch-host --host-all

    It may take a few minutes per host to complete. Until then, the hosts may show offline on the RSA NetWitness Platform user interface (Admin > Hosts). Estimate the required time to complete based on the size of your deployment and wait until the above-issued command completes.

    You can use --synch-host with multiple variations. See the following options for examples.
     
    Option 1: Run the --synch-host for a set of nodes to run in sequence mode.
    nw-root-ca-update --synch-host --host-id <node-id1> --host-id <node-id2>
    Option 2:  Run the --synch-host for a set of nodes to run in parallel mode.
    nw-root-ca-update --use-parallel --synch-host --host-id <node-id1> --host-id <node-id2>
    The node-id of any host can be found in the /etc/salt/minion file or by running the upgrade-cli-client --list command on the RSA NetWitness Server.
    1. Verify the certificate expiration dates:
      1. After reissuing the certificates, run the certification test again on the RSA NetWitness Server using the ca-expire-test.sh script.
      2. Verify that the RSA NetWitness Platform CA certificate expiration date is extended for ten years.
      3. Verify that all your system services are running. In the RSA NetWitness Platform (Admin > Services), the status of all the services except WLC should show as running (green circle).
    2. Custom or ECAT feeds that are configured with HTTPS must be reconfigured. For additional details on how to configure them, see article 000029414 - Integrate ECAT Feed with RSA Security Analytics.
    3. If you run into any issues, check the troubleshooting section later in this document. If the issue is not addressed, contact RSA Customer Support.


    Renew certificates that have expired or not expired for Windows Legacy Collector (WLC) hosts for RSA NetWitness 11.3.2 and earlier 11.x versions

    Follow this procedure if you have updated to RSA NetWitness 11.3.2 or from an earlier 11.x version.

    Use the wlc-cert-renew-11.x.sh script to renew the Windows Legacy Collector certificates. This and dependent scripts are part of the .zip file that was downloaded and extracted on the RSA NetWitness Server (node-zero).


    WLC Prerequisites

    Ensure all WLCs are running with RSA NetWitness Platform version 11.1 or above.

    1. Ensure that the RSA NetWitness Platform 11.x root CA update is completed all for non-WLC systems.
    2. The script prompts for the Security Server username and password. Enter the admin credentials for the RSA NetWitness Platform.
    3. Create a folder by running the following command and changing into it:
    # mkdir /root/wlc-certreissue
# cd /root/wlc-certreissue
    1. From the location where the root-ca-update.zip was extracted, copy the following files to the /root/wlc-certreissue directory:
    • 11.3-wlc-cli-client.sh
    • wlc-cert-renew-11.x.sh
    • update-WLC-truststore.bat
    1. Run the following command to make the scripts executable:
    # chmod +x /root/wlc-certreissue/*.sh
    1. On the RSA NetWitness Server (node-zero), create a wlc-systems file. This is used to enter the details of the WLC being updated. The file should use the format of <wlc_ip_address>,<wlc_REST_admin_username>,<wlc_REST_admin_password>. For example,
    10.1.10.231,admin,password1

    Renewing certs for each WLC takes approximately five minutes each. Create the wlc-systems file with one entry at a time and ensure that there are no spaces or blank lines in the wlc-systems file.

    1. There are manual steps that are needed on each Windows Legacy Collector system. Be prepared to log in to each WLC host using Windows Administrator credentials.

    To renew the certificates for Windows Legacy Collector (WLC) hosts for RSA NetWitness 11.3.2 and earlier 11.x versions

    Follow this procedure if you updated to RSA NetWitness 11.3.2 or earlier 11.x versions.

    In a multi Windows Legacy Collector environment, this procedure must be repeated for each WLC. Perform this process on a single Windows Legacy Collector at a time.

    1. Check the certificate details. To view the details of the current certificate in use on the WLC, run the following command on the RSA NetWitness Server (node-zero):
    # ./wlc-cert-renew-11.x.sh wlc-systems
    1. Renew the certificates. To renew the certificates for the configured WLC host, run the following command on the RSA NetWitness Server (node-zero):
    # ./wlc-cert-renew-11.x.sh --renew wlc-systems
    1. If the certificates are successfully renewed, the following message is displayed. If they are not successful, see the troubleshooting section later in this document.
    Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] ---------------------------------------
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Renew completed successfully for 2 of 2
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Done
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] --------------------------------------



    Perform the next steps on the Windows Legacy Collector, making sure that the following steps are done only once per WLC:

    1. Log in to the WLC host using Windows administrator credentials.
    2. Copy over the update-WLC-truststore.bat file from step 4 in the WLC Prerequisites section to a suitable directory on the WLC host.
    3. Start the command prompt and change the directory to where the update-WLC-truststore.bat was copied.
    4. Run the update-WLC-truststore.bat file. When it finishes, it makes the needed changes and stop/start the RabbitMQ, NwLogCollector, and nwStatCollector services.
    # update-WLC-truststore.bat
    1. In the RSA NetWitness Platform user interface, confirm that the WLC service status shows as running (green circle) and the shovel status is running (green circle). If not, see the WLC Troubleshooting in the Troubleshooting section later in this document.
     

    Renew certificates that have expired or not expired for Windows Legacy Collector (WLC) hosts for RSA NetWitness 11.4 and later versions.

    Follow this procedure if you updated to 11.4 or later versions.

    Use the wlc-cert-renew-11.x.sh script to renew the Windows Legacy Collector certificates. This and dependent scripts are part of the RPM file that was downloaded and extracted on the RSA NetWitness Server (node-zero).


    WLC Prerequisites

    Ensure all WLCs are running with RSA NetWitness Platform 11.4 or above. 

    1. Ensure that the RSA NetWitness Platform 11.x root CA update is completed all for non-WLC systems.
    2. The script prompts for the Security Server username and password. Enter the admin credentials for the RSA NetWitness Platform.
    3. Change the directory to where the RPM was installed:
    # cd /var/netwitness/root-ca-update/wlc
    1. From the location where the RPM was extracted, ensure that the following files are present in the previous steps directory:
    • wlc-cert-renew-11.x.sh
    • update-WLC-truststore.bat
    1. On the RSA NetWitness Server (node-zero), create a wlc-systems file. This is used to enter the details of the WLC being updated. The file should use the format of <wlc_ip_address>,<wlc_REST_admin_username>,<wlc_REST_admin_password>. For example,
    10.1.10.231,admin,password1

    Renewing certs for the WLC takes approximately five minutes per collector. Create the wlc-systems file with one entry at a time and confirm that there are no spaces or blank lines in the wlc-systems file.

    1. There are manual steps that are needed on each Windows Legacy Collector system. Be prepared to log in to each WLC host using Windows Administrator credentials.
     

    To renew the certificates for Windows Legacy Collector (WLC) hosts for RSA NetWitness 11.4 and later versions

    Follow this procedure if you updated to 11.4 or later versions.

    In a multi Windows Legacy Collector environment, this procedure must be repeated for each one. Perform the process only on a single Windows Legacy Collector at a time.

    1. Check the certificate details. To view the details of the current certificate in use on the WLC, run the following command on the RSA NetWitness Server (node-zero):
    #./wlc-cert-renew-11.x.sh wlc-systems
    1. Renew the certificates. To renew the certificates for the configured WLC host, run the following command on the RSA NetWitness Server (node-zero):
    # ./wlc-cert-renew-11.x.sh --renew wlc-systems
    1. If the certificates are successfully renewed, the following message is displayed. If they are not successful, see the troubleshooting section later in this document.
    Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] ---------------------------------------
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Renew completed successfully for 2 of 2
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] Done
Wed Oct 14 11:23:47 UTC 2026: WLC_CERT_RENEW: [INFO] --------------------------------------


    The next steps are performed on the Windows Legacy Collector. Perform the following manual steps only once per WLC:

    1. Log in to the WLC host using Windows administrator credentials.
    2. Copy over the update-WLC-truststore.bat file from step 4 in the WLC Prerequisites section to a suitable directory on the WLC host.
    3. Start the command prompt and change the directory to where the update-WLC-truststore.bat was copied.
    4. Run the update-WLC-truststore.bat file. When it finishes, it makes the needed changes and stop/start the RabbitMQ, NwLogCollector, and nwStatCollector services.
    # update-WLC-truststore.bat
    1. In the RSA NetWitness Platform user interface, confirm that the WLC service status shows as running (green circle) and the shovel status is running (green circle). If not, see WLC Troubleshooting in the Troubleshooting section later in this document.
     

    Troubleshooting Information

    If you have any issues, look at the following log files to try to determine the root cause:

    • /var/log/netwitness/root-ca-update/netwitness-key-repair.log
    • /var/log/netwitness/root-ca-update/update.log

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Issue: An error like the one below is seen when running nw-root-ca-update –synch-host –host-all:

    ba914d35-5edd-47a8-93a9-1d9c5f3437f6:
 Minion did not return. [Not connected]
 Verifying : rsa-nw-root-ca-update-1.0.2.1-1910160114.1.71403e6.el7.noarch

    Resolution:

    1. Determine the salt minion id of the host that failed by running the command upgrade-cli-client -l |grep <local minion id that failed>.
    # upgrade-cli-client -l | grep ba914d35-5edd-47a8-93a9-1d9c5f3437f6
Host: ID=ba914d35-5edd-47a8-93a9-1d9c5f3437f6, ADDR=10.1.11.12, NAME=upgradeesa-up, VERSION=11.2.0.0
    1. Get the host IP address from the call above. See if that node is active using the RSA NetWitness Platform user interface or by using SSH to the RSA NetWitness Server host. In the above example, the host address is 10.1.11.12.
    2. If the host is reachable, ensure that salt-minion is running:
    # service status salt-minion
    1. If it does not return anything, then it is probably a host that you previously orchestrated and removed, which can be safely ignored.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Issue: Error messages like the ones that are listed below are seen while installing the rsa-nw-root-ca-update RPM:

    mkdir: cannot create directory '/var/log/netwitness/root-ca-update': No space left on device
    ERROR: Minions returned with non-zero exit code 
    [2019-10-11T17:57:13+00:00] <25809> (WARN) Failed to complete setup on one or more component hosts! 
    [2019-10-11T17:57:13+00:00] <25809> (WARN) Please rerun --post-install once failed node(s) are healthy...

    Resolution: Address the issue that is mentioned in the error message and run the following command to finish the certificate update:

    # nw-root-ca-update --post-install

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    This issue and resolution apply only to the Event Stream Analysis server.

    Issue: The ESA Correlation, ESA Analytics, or Context Hub services do not come up after the root CA update. An error message similar to the example appears in the service log:

    2019-10-10 15:41:32,793 [main] WARN Security|Certificate for CN=f332065c-2fb2-4a24-9e59-f0781dda7fe1,
OU=NetWitness Platform,O=RSA,L=Reston,ST=VA,C=US issued by CN=Puppet CA: f332065c-2fb2-4a24-9e59-f0781dda7fe1 
is not trusted

    Resolution: Fix the issue by running the command java -Dre-construct-keystore=true -Dservices=<servicename-server> -jar /var/netwitness/download/root-ca-update/fix-launch-keystores.jar from the SSH terminal on the ESA host where the service is installed. Servicename-server must be contexthub-server, esa-analytics-server, or correlation-server. For example,

    # java -Dre-construct-keystore=true -Dservices=esa-analytics-server -jar /var/netwitness/download/root-ca-update/fix-launch-keystores.jar

    Do not use the above command for any other service than the three mentioned in this step. (esa-analytics-server, correlation-server, contexthub-server)

    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------

    This issue and resolution apply only to Windows Legacy Collectors.

    Issue: Windows Legacy Collector Troubleshooting

    Resolution: Review the following items to help with troubleshooting WLC issues.

    • After completing the steps to renew certificates for WLC hosts, if shovel issues persist, ensure the RabbitMQ, NwLogCollector, and NwStatCollector services are running on the WLC host.
    • On the user interface, if the shovel is still in an error state (red circle), edit the shovel and save it without making changes.
    • If the Health & Wellness statistics for the WLC do not appear, stop/start RabbitMQ and the NwStatCollector on the WLC host.
    Attachments
    Was this article helpful? Yes No
    No ratings

    In this article

    Version history
    Last update:
    ‎2022-11-29 03:18 PM
    Updated by:
    Administrator Administrator

    Related Content

    © 2022 RSA Security LLC or its affiliates. All rights reserved.