Riverbed SSL Certificate Expiration

Your Steelhead appliance will generate alerts related to an upcoming certificate expiration 60 days before the expiration date. This solution provides more information about the alert and what action you need to take depending on your software version.

Summary
Depending on the version of RiOS, the Steelhead may change its status to "Degraded." This will cause no impact to the optimization service -- the optimization service will continue to function normally.

Version Specific Details

• RiOS 3.0.x and earlier
  The SSL protocol is not supported by RiOS.
  
  Action Required: None

• RiOS 4.0.x and 4.1.0-4.1.2d
  The Steelhead generates an alarm and changes the health status to "Degraded."
  
  Action Required:
  (a) remove the certificates (instructions below) or
  (b) disregard the alarm

• RiOS 4.1.3 - 4.1.5c, and RiOS 5.0.0 - 5.0.2d with SSL optimization enabled
  The Steelhead generates an alarm and changes the health status to "Degraded."
  
  Action Required:
  (a) remove the certificates (instructions below) or
  (b) disable SSL optimization support or
  (c) disregard the alarm.

• RiOS 4.1.3 and later, including 5.0.0 and later with SSL optimization not enabled
  The health status will not change.
  
  Action Required: None.

• RiOS 4.1.6 and later and RiOS 5.0.3 and later with SSL optimization enabled
  The Steelhead health status changes to "Healthy (needs attention)".
  
  Action Required:
  (a) remove the certificates (instructions below) or
  (b) disable SSL optimization support.
  
  Note: Expiring certificates have been removed from recent releases. If the certificate does not exist, no change in health status will occur and no action is required.

How to Remove Expiring or Expired Certificates
From configure terminal mode, use the no protocol ssl ca <certificate> command to remove an expiring certificate. For example, from the CLI, use these commands:

enable
conf t
no protocol ssl ca DST_X2
no protocol ssl ca DST_X1
no protocol ssl ca DST_UPS
no protocol ssl ca DST_NRF
no protocol ssl ca ADMINISTRACION_NACIONAL_DE_CORREOS
...
write mem

From the Web UI:

1. In 5.0 and later, go to Configure > Optimization > General SSL Settings.
   In 4.x, go to Setup > Optimization Service > Protocol SSL > Certificate Authorities.
2. Select the expiring certificates that appear on your appliance:
   
   
   • DST_X2        DST RootCA X2         Nov 27 22:46:16 2008 GMT
   • DST_X1        DST RootCA X1         Nov 28 18:18:55 2008 GMT
   • DST_UPS       DST (UPS) RootCA      Dec  7 00:25:46 2008 GMT
   • DST_NRF       DST (NRF) RootCA      Dec  8 16:14:16 2008 GMT
   • ADMINISTRACION_NACIONAL_DE_CORREOS  SERVICIOS DE CERTIFICACION - A.N.C.    Mar 9 21:08:00 2009 GMT
   • ...
3. Click Remove Selected.
4. Save the configuration.

What Certificates Are Expiring and What Releases No Longer Include Them
This section lists certificates that have expired (or will expire soon) and identifies the earliest RiOS versions that did not include them.

• Certificates Removed Starting in 4.1.7 and 5.0.4
  
  • DST_X2
  • DST_X1
  • DST_UPS
  • DST_NRF
  For these certificates, there is nothing to renew. The expiring certificates have no replacements that need to be installed. 

• Certificates Removed Starting in 4.1.7 and 5.0.5
  
  • ADMINISTRACION_NACIONAL_DE_CORREOS
  See http://www.correo.com.uy/index.asp?pagVal=211 for information about a replacement, if needed.
  
• Certificates expiring late spring/early summer 2009:
  
  • Asociacion_Nacional_del_Notariado_Mexicano
  • DST_Baltimore_EZ_by_DST
  • Colegio_Nacional_de_Correduria_Publica_Mexican
  • Xcert_EZ_by_DST
  • ABA.ECOM

• Certificates expiring October 2009:


• CW_HKT_SecureNet_Class_A       
• CW_HKT_SecureNet_Class_B       
• CW_HKT_SecureNet_SGC       
• SecureNet_Class_A       
• SecureNet_Class_B       
• SecureNet_SGC   

For More InformationSSL Certificate Authority (CA) and Certificate FAQ

Fuente: https://support.riverbed.com/announcement.htm?id=501700000009ra3
J.D.