Hi All,
My ICG is using a wildcard certificate from GlobalSign. Last week, GlobalSign revoked the intermediate certificate to which our wildcard cert belongs. To my amazement, clients remained connected to the ICG, could still receive profile updates etc and be shadowed. Even after restarting the ICG and UMS servers. I think this is something that needs to be investigated, i think if a cert in the chain is revoked the clients should no longer accept connecting to the ICG.
I had to re-issue the certificate, so i uploaded the new intermediate and new wildcad to the UMS. The root CA is still the same, but i cant seem to update the ICG.
What are my options?
Thanks!
Hi, good point, I don’t think a revoked certifcate will impact here. I will discuss that with our Security team.
Assuming you are speaking about actual ICG / UMS / IgelOS:
kb.igel.com/igelicg-2.02/en/exchanging-the-root-certificate-for-icg-37283733.html
Thanks for the link! It looks like the wizard doesn’t support wildcard certificates.
Example:
Cert = *.company.com company.com
ICG = icg.company.com icg.company.com
No selection available. Only when i use a cert that is named icg.company.com icg.company.com can i select it.
There is a big missunderstanding, the fingerprint all the time is based on the root cert, its never based on intermediate or entity
If you only add a new intermediate or a new end entity that makes no difference for the ICG connection
You can easy check this:
click to the following button in the UMS
Have a look into the certificate and check the fingerprint:
Compare that fingerprint with the fingerprint on your ICG – and surprise – its the same:
@member The problem with the wildcard is, that your whole certificate row need to accept wildcards, not only the last cert
First of all, thanks for the explanation, but I don’t fully understand. If the root certificate is all that matters for a successful client to ICG connection, what purpose is left for the entity (in our case wildcard) certificate?
the end entity is used that the server part of the certificate trust the root ca
so the name of the server e.g. icg.company.com icg.company.com should be used inside the end entity
so for a Wildcard cert you need a SAN certificate instead of CN certificate for “only” a name
www.ssl247.com/kb/ssl-certificates/generalinformation/whatissan
Thanks for the explanation.
Continue reading and comment on the thread ‘How to update the root CA certificate on the ICG? ‘. Not a member? Join Here!
Learn more, search the IGEL Knowledge Base
Ask a question or comment on the above message thread?
Join or log in to the IGEL Community to ask us anything and meet other IGEL customers, partners, and EUC enthusiasts.Submit a question, or Join Today!