Troubleshooting Certificate Issues

When you install a new, externally-signed SSL certificate on Cryptographic Security Platform Vault, Cryptographic Security Platform Vault automatically updates the CA certificate on all registered VMs at their next heartbeat.

If any of the VMs are unreachable for 4 consecutive heartbeats, Cryptographic Security Platform Vault considers the update request to have timed out for those VMs. It sends one alert for each inaccessible VM to the Cloud Admins associated with that VM and then continues with the SSL certificate installation process.

The next time one of the inaccessible VMs boots, it may be unable to retrieve the proper keys from Cryptographic Security Platform Vault because the old CA certificate the VM is using cannot verify the new Cryptographic Security Platform Vault SSL certificate. The VM will then reject any communication from Cryptographic Security Platform Vault until it has the correct CA certificate installed and can once again verify Cryptographic Security Platform Vault's identity.

If there are encrypted data drives on the VM, Cryptographic Security Platform Vault will not attach those drives when the VM reboots. If the boot partition is encrypted on the VM, the VM will fail to boot. At this point you need to manually update the CA certificate on the VM in order to restore the communication between the VM and Cryptographic Security Platform Vault.

For more information, see:

• Manually Updating the CA Certificate on a Data Encrypted VM. After you update the CA certificate, the VM can retrieve the keys from Cryptographic Security Platform Vault and the encrypted drives will be automatically reattached.
• Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM.
• Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM.