Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  self-signed certificate expired on Gateway

    Posted 03-21-2024 10:03

    We have received "SSL Certificate Expiry" on Gateway in the vulnerability assessment results.

    Please advise the process to renew the default SSL Certificate on Gateway. Thanks in advance.

    Severity Plugin Name Protocol Port Plugin Output Synopsis Solution
    Medium SSL Certificate Expiry TCP 443 Plugin Output:
    The SSL certificate has already expired :
    The remote server's SSL certificate has already expired. Purchase or generate a new SSL certificate to replace the existing one.

    #DatabaseActivityMonitoring

    ------------------------------
    Rakesh Chinta
    Senior Cyber Security Consultant
    Singapore
    ------------------------------


  • 2.  RE: self-signed certificate expired on Gateway

    Posted 03-21-2024 10:08

    Hi Rakesh

    You will unregister and register the gateway

    And the certificate renew automatically



    ------------------------------
    Alejandro Hernandez
    Consultant and Trainer
    Soluciones Integrales en Capacitacion SA de CV (SICAP)
    Mexico D.F
    ------------------------------



  • 3.  RE: self-signed certificate expired on Gateway

    Posted 03-21-2024 10:27

    Thanks,

    Could you please share steps if possible. 



    ------------------------------
    Rakesh Chinta
    Senior Cyber Security Consultant
    Singapore
    ------------------------------



  • 4.  RE: self-signed certificate expired on Gateway

    Posted 03-21-2024 12:10

    You need to connect to GW via SSH

    use impcfg

    Manage SecureSphere Gateway > Unregister gateway

    Manage SecureSphere Gateway > Register gateway

    Manage SecureSphere Gateway > Start Gateway



    ------------------------------
    Alejandro Hernandez
    Consultant and Trainer
    Soluciones Integrales en Capacitacion SA de CV (SICAP)
    Mexico D.F
    ------------------------------



  • 5.  RE: self-signed certificate expired on Gateway
    Best Answer

    Posted 03-21-2024 23:00

    Hello Rakesh,

    Thank you for your post, please refer to the following steps to un-register and register back the gateway to MX.

    ·        Go to GW CLI and run the following commands:

    impctl gateway stop

    impctl gateway unregister

    impctl gateway register

    impctl gateway start

    ·        Verify with your browser or using this command: openssl s_client -connect <GW-IP>:443 | openssl x509 -noout -dates



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 6.  RE: self-signed certificate expired on Gateway

    Posted 03-21-2024 23:53

    Thanks Syed for the great information. 

    Kindly help to advise on below. Appreciate your response. 

    1- May I know the steps you provided work for all types of deployments or any deviations, example ->

       a) if GWs are in HA

       b) if GWs are in cluster 

    2- so every time when GW cert is about to expire do we need to perform the same steps to renew cert in GW? 

    impctl gateway stop

    impctl gateway unregister

    impctl gateway register

    impctl gateway start

    3-After every patch, upgrade, does the GW cert auto renew?



    ------------------------------
    Rakesh Chinta
    Senior Cyber Security Consultant
    Singapore
    ------------------------------



  • 7.  RE: self-signed certificate expired on Gateway

    Posted 03-24-2024 01:14

    Hello Rakes,

    Yes same process for HA and cluster, it will failover(services) when we restart one of the gateway and yes when you upgrade the certificate will update automatically for default certificates.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------



  • 8.  RE: self-signed certificate expired on Gateway

    Posted 04-01-2024 11:43

    Hi Syed,

    Are these steps included in the official Knowledge Base documentation? 



    ------------------------------
    Kovit Thakral
    Solution Consoltant
    Transition Systems & Networks (Thailand) Co. Ltd
    Phasi Charoen
    ------------------------------



  • 9.  RE: self-signed certificate expired on Gateway

    Posted 04-02-2024 19:52

    Hello Kovit,

    Not exactly for this requirement.



    ------------------------------
    Syed Noor Fazal
    Product Support Engineer
    ------------------------------