All Blue Coat appliances manufactured after July 2006 have an appliance certificate, although there have been some issues reported with appliance certificates. You can use the instructions discussed in this article to verify whether or not your Director appliance has an appliance certificate and, if not, to obtain one.
NOTE: In some cases, renewing the appliance certificate can remove symptoms of not being able to access the User Interface anymore.
Director must have an appliance certificate to:
- Register ProxySG appliances with Director
- Enable you to log in to the Director Management Console available with SGME 5.4.2 and later
The Acrobat PDF document attached to this article provides details about getting an appliance certificate for Director. The essential tasks follow:
NOTE: You will need to be connected, via SSH, to the Director Command Line Interface ( CLI) . Once you are here, you need have followed these steps.
- director > enable
- director # config t
Determining if your appliance has a certificate:
- To Determine whether or not Director already has an appliance certificate using the following command:
- director (config) # show ssl appliance-certificate
- If the certificate displays, there is no need to continue with this article because your Director has an appliance certificate.
If the following error displays, you must get an appliance certificate for Director:
appliance-certificate does not exist. Please request/import one first.
Procuring an appliance certificate:
1: Can your appliance connect to the internet?
- To get an appliance certificate for Director, first determine whether or not Director can connect to the Internet.
- While in the CLI, you can use the Ping, or the traceroute commands, to ping a known IP addresses, or DNS names.
- If your appliance has a IP address, you may only need to add a DNS server. In which case, in the config mode, you merely need to run the "ip namserver <ip address>" command. Otherwise, you will need to see your network administrator for reasons why you can't access the internet, or follow the second step below.
2: Perform one of the following sets of tasks, depending on these results:
- If Director can access the Internet, use the following command to get an appliance certificate:
director (config) # ssl request-appliance-certificate
The following messages confirm the appliance certificate imported successfully:
Certificate verified successfully
- If Director cannot access the Internet, perform all of the following tasks in the order shown. For more details, see the Acrobat PDF document attached to this article.
- Create a Certificate Signing Request (CSR):
director (config) # show ssl appliance-certificate-request
- Copy the CSR into a text editor.
- Open a browser and go to the Blue Coat CA Server Web site at http://abrca.bluecoat.com/sign-manual
- Paste the CSR and signature into the form.
- Import the certificate into Director:
director (config) # ssl input appliance-certificate
Enter your certificate now.
Press Ctrl-D when finished, or Ctrl-C to abort.
- Use the following command to display Director's appliance certificate:
director (config) # show ssl appliance-certificate
3: Troubleshooting your birth certificate:
To check the status of the HTTPD daemon, follow these steps.
Open a SSH session to to the Director box..
- Enter the enable mode by following the steps.
- director > enable
- director #
- Enter the configuration mode, by following these steps.
- director # config t
- director (config) #
- Enter the shell mode of Director- exiting in LINUX.
- director # shell
- Check to see if httpd is running by using the LINUX command type "ps -aef | grep httpd"
- If it is not, check it's error log, found in /var/log
- sh-2.05b# cd /var/og
- sh-2.05b# cat http_ssl_error_log
- TIP: Above, we suggest Using the LINUX commands of "d" and "cat" to to this.
The below output of this file is indicative of the birth certificate being faulty.
[Fri Mar 25 17:46:32 2011] [error] Init: Pass phrase incorrect
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
To fix your appliances birth certificate ( certificate signing request), follow these steps.
- While in shell mode, remove the file "/etc/httpd/conf/ssl.csr/birth.csr", using the linux "rm" command.
- Exit out of the shell mode by typing exit.
- Enter into the config mode, by typing 'config t'.
- Execute the command "show ssl appliance-certificate-request"
- TIP: This will display the Birth Certificate Signing Request (birth.csr) . If it displays your certificate, we can declare that the appliances eeprom is valid, and you merely need to request another birth certificate.
- If the output is empty or corupt, then we need to have you request a new appliance from Bluecaot. The process to ask for is to the RMA process.
- Follow the next steps if you see output on the screen.
- If your Director appliance has access to internet, then execute this comand in config mode.
- director (config) # ssl request-appliance-certificate
- TIP: For more details on this command, or if your Director appliance does not have internet access, see steps 2 above in the section "Procuring an appliance certificate: "
NOTE1: With each Director appliance, Bluecoat ships it's own certificate. Bluecoat does not allow you to generate your own SSL certificates, and use this on the Director appliance.
NOTE2: For details on another problem where the SSL certificate would not verify, see KB41725
NOTE3: For details on other files that may be helpfull in solving Director issues, see KB4143
NOTE4: For details on what other Command line command you can use to troubleshoot Director, see KB4178