Reissue Certificates

Introduction

For a secure deployment, NetWitness has installed internal NetWitness-issued certificates such as CA Certificate and Service certificates .

The validity for NetWitness certificates are as follows:

  • CA root certificate for 11.x deployment is valid for 10 years

  • CA root certificate for 10.6.x deployment is valid for 5 years

  • Service certificates are valid for 1000 days

    Note: The certificate expiration warning is triggered 30 days prior to expiration.

When these certificates are about to expire or have expired, you must renew and reissue the certificates as soon as possible to avoid any issues with your NetWitness deployment.

Note: You can view the expiration details, by executing the ca-expire-test-sh script on the NetWitness Server. For more information, see Reissue root CA security certificates on NetWitness Platform 11.x and download the script.

CA Certificate Reissue

To renew the CA certificates, do the following:

Note: If you have Windows Legacy Collectors (WLC) in your deployment, renew the CA certificate of the WLC after renewing the CA certificate of the NetWitness Admin Server.

Service Certificate Reissue

To renew the Service certificates, do the following:

  • If your hosts are on NetWitness Platform 11.3 or later, you must use the cert-reissue script. For more information, see the Reissuing Service Certificate .
  • If your hosts are on 11.1.x or 11.2.x, you must upgrade the NetWitness Platform to 11.3 or later and run the cert-reissue script.

Note: If you have a host that is decommissioned or plan to remove, do not renew the certificate for that host.

Reissuing Service Certificate

You can reissue service certificates in the following two ways.

  • All at once
    Reboot NW Server host after the cert-reissue --host-all command completes.
  • One at a time
    Reissue the NW Server host certificates first, restart the host, then reissue each component host.

IMPORTANT: If you are reissuing certificates for each host individually (one at a time), you must reissue the certificate for the NW Server host before you can reissue certificates for any other host.

When to Use the --host-all Argument

Use the cert-reissue --host-all command string if you have a large number of hosts. Make sure that:

  • All your hosts are running 11.3.0.0 or later.
  • All your hosts are online.
  • The NW Server host run time services are running.

cert-reissue Arguments and Options for All Hosts

The following tables lists the argument you can use to reissue certificates for all hosts at one time. See Troubleshooting Cert-Reissue Command for additional options you can use with Customer Support to troubleshoot errors.

Arguments Description
--host-all

Reissues certificates for all hosts at one time applying system health checks and restarts services.

Note: If even one host is not online, this command fails. If you have numerous hosts in your deployment, make sure that all hosts are up and running.

Caution: Make sure you do not run this argument on a node or host that you plan to remove or decommission.

When to Use the Individual Host Argument (--host-key <ID, IP, hostname or display name of host>)

The cert-reissue --host-key <ID, IP, hostname or display name of host> command reissues a certificate for an individual host. You may want to reissue certificates for an individual host if you have a small number of hosts.

Make sure that:

  • Each host is running 11.3.0.0 or later.
  • Each host is online.
  • The NW Server host run time services are running
  • You reissue certificates for the NW Server host first.

Note: You must run the command for the NW Server host first and reboot that host before you run the command for each component host.

Reissuing Certificates for All Hosts Except Windows Legacy Collection (WLC) host

Use the cert-reissue command to reissue certificates for all hosts except the WLC host with the following procedures.

Running the Cert-Reissue Command for All Hosts

  1. SSH to the NW Server host.
  2. Submit the appropriate command string.
    cert-reissue --host-all

Running the Cert-Reissue Command for an Individual Host

  1. SSH to the NW Server host.
  2. Submit the appropriate command string:
    cert-reissue --host-key <ID, IP, hostname or display name of host>

Reissuing Certificates for a WLC Host

You must use the wlc-cli-client utility to reissue certificates for a WLC host (you cannot use the cert-reissue command). You also need to specify a number of WLC identification parameters with this utility.

Note: The certificates for a Windows Legacy Server host are stored in the following directories on the host.
C:\ProgramData\netwitness\ng\logcollector_cert.pem
C:\ProgramData\netwitness\ng\logcollector_dh2048.pem
Th validity period of WLC certificates can range from 2 to 20 years. If you rename or remove the files and restart NwLogCollector Service, NetWitness regenerates them.
/ssl/truststore.pem - is no longer used in 11.x
Every reissue of a certificate on the Windows Legacy server creates a new private key.

To reissue certificates on a WLC host.

  1. SSH to the NW Server host.
  2. Submit the following command string.
    wlc-cli-client --cert-renew --host 10.129.43.13 --port 50101 --use-ssl false --username <nwadmin service account> --password <'nwadmin service account password'> --ss-username <deploy_admin> --ss-password <'deploy_admin password'>

    Note: nwadmin service account is the WLC rest UI User and 'nwadmin service account password' is the WLC rest UI password.

Successful Reissue Summary Report

When you run cert-reissue --host-all , the following summary report will be displayed if all hosts are online, all run time services are running, and all hosts on version 11.4.0.0 or higher.

netwitness_successfulreissue.png

Unsuccessful Reissue Summary Reports

You must contact Customer Support (https://community.netwitness.com/t5/support-information/how-to-contact-netwitness-support/ta-p/563897) to troubleshoot problems. You know there is a problem if any <host-id> does not return a SuccessStatus. Success indicates that certificates were reissued for a host. The following examples illustrate unsuccessful reissues.

Reissue Failed for Host and Aborted Command

The following three examples illustrate the failure of certificate reissuing for any hosts.

netwitness_reissuecert-ts1.png

netwitness_reissuecert-ts2.png

Reissue Certificate Partially Executed

The NW Server Host certificates were reissued but failed to properly distribute the reissued certificates to one or more component hosts.

netwitness_reissuecert-ts3.png