Automatic certificate updates

The information in the CA tree is automatically updated on a regular basis as well as each time Content Gateway is restarted. Updating the CA tree avoids the potential for using a root CA that has expired, is no longer a root CA, or if the certificate revocation list URL of the root CA has changed.

The update process inserts new trusted CAs and updates existing CAs that have updated certificate revocation lists, and at the same time removes expired CAs, any CA that is no longer a root CA, and non-trusted CAs.

Note: The update process maintains only Public certificates. Customers are responsible for maintaining Private certificates.

Enabled by default, the feature can be disabled by editing records.config using this command:

CONFIG proxy.config.ssl.catree_update INT 0

Restart Content Gateway after making this change. Reset the value to 1 to re-enable the updates.

To avoid file corruption, checks are in place to confirm the availability and health of each new update. Update attempts that fail generate an informational alarm. The existing set of certificates continues to be used until the next successful download.

This feature:

Requires SSL decryption to be enabled.
Does not check existing certificate revocation lists during the update process.
Does not re-add CAs explicitly removed by a customer.
When an update is in progress, provides a warning on the Configure > SSL > Certificates pages that changes made when the update is running are lost. The same message appears when a backup or restore is attempted