All Blue Coat appliances manufactured after July 2006 have an appliance certificate, although there have been some issues reported with appliance certificates. You can use the instructions discussed in this article to verify whether or not your Director appliance has an appliance certificate and, if not, to obtain one.
NOTE: In some cases, renewing the appliance certificate can fix issues with accessing the Director Management Console.
Director must have an appliance certificate to:
- Register ProxySG appliances with Director
- Enable you to log in to the Director Management Console available with SGME 5.4.2 and later
The PDF document attached to this article provides details about getting an appliance certificate for Director. The essential tasks follow:
NOTE: You will need to be connected, via SSH, to the Director Command Line Interface (CLI). In the CLI, enter the following commands:
director > enable
director # config t
Determine if your appliance has a certificate
- In the CLI, enter the following command:
- director (config) # show ssl appliance-certificate
- If the CLI displays the certificate, Director has an appliance certificate and you do not have to perform further steps.
If the CLI displays the following error message, you require an appliance certificate:
appliance-certificate does not exist. Please request/import one first
Retrieve an appliance certificate
- Determine whether or not Director can connect to the Internet. In the CLI, you can use the ping or traceroute command to ping known IP addresses or DNS names. If your appliance has a IP address, you may only need to add a DNS server. If this is the case, enter config mode and run the ip name-server <ip address> command. Otherwise, refer to your network administrator for reasons why you can't access the internet or proceed to the next step.
- Perform one of the following sets of tasks, depending on these results:
- If Director can access the Internet, use the following command to get an appliance certificate:
director (config) # ssl request-appliance-certificate
The following messages confirm the appliance certificate imported successfully:
Certificate verified successfully
- If Director cannot access the Internet, perform all of the following tasks in the specified order. For more details, see the PDF document attached to this article.
- Create a Certificate Signing Request (CSR):
director (config) # show ssl appliance-certificate-request
- Copy the CSR into a text editor.
- Open a browser and go to the Blue Coat CA Server Web site at https://abrca.bluecoat.com/sign-manual/index.html.
- Paste the CSR and signature into the form.
- Import the certificate into Director:
director (config) # ssl input appliance-certificate
Enter your certificate now.
Press Ctrl-D when finished, or Ctrl-C to abort.
- Display Director's appliance certificate:
director (config) # show ssl appliance-certificate
Troubleshoot the birth certificate
To check the status of the HTTPD daemon, follow these steps.
- Open a SSH session to the Director box and enter enable mode:
- director > enable
- director #
- Enter config mode:
- director # config t
- director (config) #
- Enter shell mode:
- Check to see if httpd is running by using the LINUX command:
- sh-3.2# ps -aef | grep httpd
- If it is not running, check its error log in /var/log. Use the Linux commands cd and cat as follows:
- sh-3.2# cd /var/log
- sh-3.2# cat http_ssl_error_log
The following example output indicates that the birth certificate is faulty:
[Fri Mar 25 17:46:32 2011] [error] Init: Pass phrase incorrect
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
If the birth certificate is faulty, use the following commands to resolve the issue:
- In shell mode, remove the file /etc/httpd/conf/ssl.csr/birth.csr. Use the Linux command rm as follows:
- sh-3.2# rm /etc/httpd/conf/ssl.csr/birth.csr
- Exit out of the shell mode by typing exit.
- Enter config mode.
- Execute the command:
- director (config) #show ssl appliance-certificate-request
- This will display the Birth Certificate Signing Request (birth.csr) . If it displays your certificate, the appliance's eeprom is valid, and you can request another birth certificate.
- If the output is empty or corrupt, you must request a new appliance from Blue Coat. See https://www.bluecoat.com/support/support-policies/rma-info for information.
- Follow the next steps if you see output on the screen.
- If your Director appliance has access to the internet, execute the following command:
- director (config) # ssl request-appliance-certificate
- For more details on this command, or if your Director appliance does not have internet access, see the steps in the previous section Retrieve an appliance certificate.
- Blue Coat ships its own certificate with each Director appliance. You cannot generate your own SSL certificates for use on the Director appliance.
- For details on another problem where the SSL certificate does not verify, see 0000085035.
- For details on other files that may be helpful in solving Director issues, see 000011526.
- For details on other CLI commands you can use to troubleshoot Director, see KB4178.