Overview

With UMS 6.06 or higher, you can exchange the root certificate for an ICG without the need to manually reregister the connected devices. However, there will be a short interruption as the devices reconnect to switch over to the new certificate.

Environment

  • ICG 2.02 or higher
  • UMS 6.06 or higher
  • IGEL OS 11.04.240 or higher is installed on the devices, or the upload source is available and configured on the devices. For details, see Firmware Update.

Use Cases

  • The root certificate is about to expire.
  • You want to change the public CA.
  • New security rules must be implemented, or algorithms are outdated.

Instructions

The procedure includes the following steps:

  1. Choosing the Desired End Certificate
  2. Updating the Devices (where necessary)
  3. Restarting the Devices
  4. Updating the Keystore

Choosing the Desired End Certificate

  1. In the UMS Console, go to UMS Administration > UMS Network > IGEL Cloud Gateway.
  2. Select the ICG for which you want to exchange the root certificate.
  3. Click  to open the Update Keystore dialog.
  4. Under Select certificate, select the certificate you want to use in the future, and click Next.
  5. Review the Affected Devices dialog.

    Choose the appropriate method according to the displayed numbers:

    Devices without the new necessary certificates ([number])Devices without the required feature ([number])If the 1st and 2nd Columns Are True, Continue with...
     1 1Updating the Devices
    ≥ 10Restarting the Devices

Updating the Devices

The devices listed at Devices without the required feature do not have the capability to exchange the ICG certificate and must be updated to IGEL OS 11.04.240 or higher.

To update these devices:

  1. Click Show devices
  2. In the confirmation dialog, click Yes to create a view that collects the devices that need to be updated.
  3. In the Create new View dialog, review the prefilled name and description, and click Ok.

    The view is created, and the UMS Console switches to the newly created view. We will assign this view to a scheduled job that will update the devices at a defined time.
  4. Go to Jobs, open the context menu, and select New Scheduled Job
  5. In the New Scheduled Job window, change the settings as follows and click Next:
    • Name: A name for the job
    • Command: Select "Update".
    • Execution time: Select the time at which the update should take place.
  6. In the next step, leave the settings as they are and click Next.
  7. Assign the view created beforehand to the job and click Finish.
  8. Make sure that IGEL OS 11.04.240 is available and the upload source is available and configured on the devices; for details, see Firmware Update.
    The firmware will be updated at the specified time. 
  9. When the devices are updated, continue with Restarting the Devices.

Restarting the Devices

When the devices are updated, they have the feature required to receive the new ICG root certificate. They will receive the new root certificate on reboot, for which we will create a scheduled job.

  1. If you have not already created a view (see Updating the Devices), click Show devices. If the view already exists, continue with step 4.
  2. In the confirmation dialog, click Yes to create a view that collects the affected devices.
  3. In the Create new View dialog, review the prefilled name and description, and click Ok.

    The view is created, and the UMS Console switches to the newly created view. We will assign this view to a scheduled job that will restart the devices collected in this view at a defined time.
  4. Go to Jobs, open the context menu, and select New Scheduled Job.
  5. In the New Scheduled Job window, change the settings as follows and click Next:
    • Name: A name for the job
    • Command: Select "Reboot"
    • Execution time: Select the time at which the restart should take place.
  6. In the next step, leave the settings as they are and click Next.
  7. Assign the view created beforehand to the job and click Finish.

    On reboot, the devices will receive all ICG certificates from the UMS; afterward, they are ready to switch to the new certificate.
  8. Continue with Updating the Keystore.

Updating the Keystore

  1. To check if the devices are ready, go back to UMS Administration > UMS Network > IGEL Cloud Gateway, click  to open the Update Keystore dialog, select the new certificate, click Next and look at the displayed numbers. If the output looks like this, click Next.

    If the following warning message appears, you should check if all devices have been updated successfully. If you click Yes to continue, those devices which do not have the required feature (firmware) or certificate may no longer be reachable via ICG.
  2. Enter the password for the SSH user that exists at the ICG server. This is the same password that has been used for installing ICG. Afterward, click Next.

    The keystore is updated.
  3. If everything went well, a success message appears. Click Finish.