What are you all doing to keep your Certificate Databases updated with the latest CA's? Often I'm having to add a new CA when a third party that I have a WebSEAL junction pointing to, updates their certificate that is signed by a CA that's not in my cert database.

Thanks,
Scott

------------------------------
Scott Reichardt
9.0.7.1
------------------------------

Hi Scott,

In general, you'd want to be careful about any automated solution to adding CA certificates because those certificates are the basis of all communication trust in the system.  However, I certainly understand the frustration of having to maintain these certificates as it seems sites change their certificates (and switch CA) a lot more frequently than they used to.

If you had some trusted source of root CA certificates, I suppose you could write some scripts against the appliance REST API to update the CA certificates in the Reverse Proxy store(s).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed August 05, 2020 10:27 AM
From: Scott Reichardt
Subject: Keeping SSL certificates updated

What are you all doing to keep your Certificate Databases updated with the latest CA's? Often I'm having to add a new CA when a third party that I have a WebSEAL junction pointing to, updates their certificate that is signed by a CA that's not in my cert database.

Thanks,
Scott

------------------------------
Scott Reichardt
9.0.7.1
------------------------------

Great points. Thank you.

------------------------------
Scott Reichardt
------------------------------

Original Message:
Sent: Thu August 06, 2020 04:50 AM
From: Jon Harry
Subject: Keeping SSL certificates updated

Hi Scott,

In general, you'd want to be careful about any automated solution to adding CA certificates because those certificates are the basis of all communication trust in the system.  However, I certainly understand the frustration of having to maintain these certificates as it seems sites change their certificates (and switch CA) a lot more frequently than they used to.

If you had some trusted source of root CA certificates, I suppose you could write some scripts against the appliance REST API to update the CA certificates in the Reverse Proxy store(s).

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed August 05, 2020 10:27 AM
From: Scott Reichardt
Subject: Keeping SSL certificates updated

What are you all doing to keep your Certificate Databases updated with the latest CA's? Often I'm having to add a new CA when a third party that I have a WebSEAL junction pointing to, updates their certificate that is signed by a CA that's not in my cert database.

Thanks,
Scott

------------------------------
Scott Reichardt
9.0.7.1
------------------------------

In addition to CA's management, I would like to point that all the certificate management is painfull.
I think you're aware that the validity period will become soon 398 days (read this article as exemple on this topic: https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/ ).
This will imply a lots more activities in the certificate management.
It would be nice to have ISAM supports subsequent versions of the same label or to have details on where in the configuration a cert is used.
This implies a lot of redesign of current infrastructure and processes. As Jon mentionned, scripting in this area is really sensible and should only be done when you know what you're doing (and how you secure the scripts)

------------------------------
Emmanuel Fauconnier
------------------------------

Original Message:
Sent: Wed August 05, 2020 10:27 AM
From: Scott Reichardt
Subject: Keeping SSL certificates updated

What are you all doing to keep your Certificate Databases updated with the latest CA's? Often I'm having to add a new CA when a third party that I have a WebSEAL junction pointing to, updates their certificate that is signed by a CA that's not in my cert database.

Thanks,
Scott

------------------------------
Scott Reichardt
9.0.7.1
------------------------------

For docker it would be nice to have key database as kubernetes secrets, so we could utilize projects like cert-manager
https://github.com/jetstack/cert-manager

------------------------------
Øyvind Bergerud
------------------------------

Original Message:
Sent: Thu August 06, 2020 10:10 AM
From: Emmanuel Fauconnier
Subject: Keeping SSL certificates updated

In addition to CA's management, I would like to point that all the certificate management is painfull.
I think you're aware that the validity period will become soon 398 days (read this article as exemple on this topic: https://www.thesslstore.com/blog/ssl-certificate-validity-will-be-limited-to-one-year-by-apples-safari-browser/ ).
This will imply a lots more activities in the certificate management.
It would be nice to have ISAM supports subsequent versions of the same label or to have details on where in the configuration a cert is used.
This implies a lot of redesign of current infrastructure and processes. As Jon mentionned, scripting in this area is really sensible and should only be done when you know what you're doing (and how you secure the scripts)

------------------------------
Emmanuel Fauconnier

Original Message:
Sent: Wed August 05, 2020 10:27 AM
From: Scott Reichardt
Subject: Keeping SSL certificates updated

What are you all doing to keep your Certificate Databases updated with the latest CA's? Often I'm having to add a new CA when a third party that I have a WebSEAL junction pointing to, updates their certificate that is signed by a CA that's not in my cert database.

Thanks,
Scott

------------------------------
Scott Reichardt
9.0.7.1
------------------------------