Error: "legacy ICG Root (CA) certificate" When Updating to Igel OS 11.04 on Devices Connected via ICG
Possible Problem
If you update to IGEL OS 11.04 or higher, devices might fail to connect to the ICG afterward because the CA root certificate does not have the CA flag (i.e. X509v3 BasicConstraint extension "is_ca" is set to "false"). This is the case when the certificate has been created with UMS 5.07 or UMS 5.08.
Environment
- UMS 5.07 or higher (update to UMS 6.06 or higher will be required if not already present)
- ICG with older root certificates that have been created with UMS 5.07 or UMS 5.08
Diagnosis
- Open the UMS Console, go to UMS Administration > Global Configuration > Cloud Gateway Configuration (UMS 5.07 to UMS 6.05) or UMS Administration > Global Configuration > Certificate Management > Cloud Gateway (UMS 6.06 or higher) and select your ICG root certificate.
- Click to review the content of the certificate.
- If Certificate Authority: is false, find further instructions under Solution.
Solution
- Request IGEL OS 11.04.221DER from the IGEL Support team.
- Update your devices to IGEL OS 11.04.221DER.
- Update your UMS to version 6.06.100, if you have not already done so.
- Exchange the root certificate for the ICG connection; see Exchanging the Root Certificate for ICG.
- Update your devices to IGEL OS 11.04.240 or higher.