Our ICG certificate expires tomorrow and the root/intermediate has to be changed as part of the renewal. I’ve just run through the instructions on updating the keystore and it’s ready to change to the new certificate. I’ve got about 100 clients that use the ICG but don’t yet have the new certificate so if I were to cut over I guess they would no longer be manageable? If that’s the case are they able to still connect if I leave the old certificate in place and it expires? If they are then I could delay switching certificates until they had all been updated.
Which ICG / UMS / IGEL OS versions are you using? If you are on latest state of mind, you could use a few steps:
1. kb.igel.com/igelicg-2.02/en/exchanging-the-root-certificate-for-icg-37283733.html
2. or use a script to move them igelcommunity.slack.com/archives/C8FC0D6U9/p1614887388118100
ICG: 2.02.100 UMS: 6.06.110 OS: 11.04.240
I followed the article you linked in option 1 but I’m at the stage where it states there’s devices without the new necessary certificates. I don’t think they will all check in by the time the current cert expires so the question is if I leave it in place will they still be able to connect to get the new cert?
If you can, I would reboot a test device, it should after reboot hold the new certificate.
Yes I’ve restarted a test device and it’s now ready to switch. What happens to the devices that haven’t done that before we either switch the cert or the current one expires?
Is there no option to get them checked in before the cert expires?
They’re in people’s homes and we’re at the end of our holiday year so there’s a lot of staff not working at the moment, using up holiday! Most will probably connect by then but if they don’t then I’d like to avoid having to ask them to come back to the office to have them fixed. So if they can still connect after then cert expires that might be a better option than switching straight away
That I can’t answer – but I would assume that they would fail to connect after the cert expires
Sounds reasonable but if I switch before they’ve contacted the ICG then they won’t trust the new certificate (even though it’s issued by a public CA)?
I was under the impression that they would trust it since it’s public and therefore you wouldn’t need to verify the fingerprint – but the KB doesn’t mention this anywhere 😕
That would be great but the interface makes me think otherwise
“devices without the necessary certificates” – maybe that only applies with self-signed ones?
Sorry, my last comment was actually referring to the end-certificate – not the root. If the root is going to expire, what happens is that the new root certificate will be preloaded onto the IGELs after a reboot, if I understand correctly. The new root certificate will then authenticate the end-certificate of the ICG since this is what signed it.
Is your root CA public?
Either way I think you have a problem.
The new cert uses a different Root and it’s all Public (Digicert)
Yes it seems like the same problem either way
Ah ok. I still think you would need to either reboot the devices before the old root expires or re-enroll them manually after renewal
I would deploy the Script sent above, just to avoid issues on devices not managable anymore.
@member if he can deploy the script then he can reboot the devices. I think the issue is that end-users are unavailable and the devices are off
Is that right @member?
Yes exactly
But I guess after the cert expires/switches we could get users enrol with the ICG again using a first auth key?
Instead of having to come back to the office
The good news is that if you DO need to re-enroll, the end-user would only need the URL and the one-time password and wouldn’t have to enter the fingerprint
> we could get users enrol with the ICG again using a first auth key?
Yes exactly!
OK great, that’s the solution then – I’ll wait as long as possible for the cert switch over then we’ll just ask affected users to re-enrol
Continue reading and comment on the thread ‘Can IGEL OS client still connect if I leave the old expired certificate in place and it expires? ‘. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!