Auto update certificate

SR OS supports automatic updating of an imported end-entity certificate by using an online enrollment protocol with CA. The following enrollment protocols are supported:

  • CMPv2 (RFC 4210)

  • EST (RFC 7030)

For each certificate that needs an automatic update, a certificate-auto-update command entry must be configured as well as the corresponding certificate-update-profile command. The certificate-update-profile command specifies the update behavior such as the enrollment protocol to use, the schedule type, and so on.

The following events may trigger an update:

  • When the current time passes a user-specified deadline, the deadline can be configured as one of the schedule types in certificate-update-profile:

    • before-expiry configures the time before the certificate expiration time

    • after-issue configures the time after certificate issue time

  • When a certificate-auto-update entry is configured, and it is already time to do an update.

    If the certificate already expired:

    • for CMPv2, the update fails because CMPv2 does not allow using an expired certificate

    • for EST, if a different certificate is used for TLS authentication, the update is completed

  • Manually, by using the following command.

    • MD-CLI
      admin system security pki update-certificate
    • classic CLI
      admin certificate update-cert
Note: This feature uses the UTC, not the local time.
The following shows the workflow of a certificate update:

  1. A new key is generated.

    • If the following command is configured in the certificate-update-profile, then the system generates a new key with the same type and the same length as the existing key.

      MD-CLI
      certificate-update-profile same-as-existing-key
      classic CLI
      key-generation same-as-existing-key
    • Otherwise, a new key is generated according to the key generation configuration.
  2. Use the corresponding operation of the enrollment protocol specified in certificate-update-profile configuration to obtain a new certificate from the CA.

    • CMPv2 configures the key-update operation.

    • EST configures the renew (or /simplereenroll) operation.

  3. After the configuration obtains a new certificate from the CA (step 3), import and replace the existing key and certificate file with the same filename. The existing key and certificate file are renamed by adding a “.previous” suffix. If there are existing “xxx.previous” files, they are removed. If either of the previous fails, the existing key and certificate are not impacted.

  4. The application (for example, IPsec) that uses the certificate, reloads the key and certificate so that new key and certificate are used.

  5. If step 1, step 2, or step 3 fails, then the system waits for the retry interval specified in the certificate-update-profile to retry from step 1. If step 4 fails, then skip steps 1, 2, and 3 and then wait for the retry-interval to retry from step 4.