Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM

When you install a new SSL certificate on KeyControl Vault, KeyControl Vault automatically updates the associated CA certificate on all registered VMs. If a Linux root-drive-encrypted VM was inaccessible during this process, that VM may not be able to boot because the CA certificate the VM is using can no longer verify the KeyControl Vault SSL certificate. This means that the VM cannot retrieve the proper keys from KeyControl Vault because it cannot verify the communication coming from KeyControl Vault.

To fix this issue you need to manually update the CA certificate on the VM so that it can verify the SSL certificate KeyControl Vault is currently using. This allows the VM to verify KeyControl Vault's identity and to retrieve the appropriate keys.

Important: Manually updating the certificate requires ssh access to the VM. If you did not enable the Entrust Debug Console when you ran the htroot encrypt command on the root drive, you need to contact Entrust Support at hytrust.support@entrust.com.

The following procedure is for Linux VMs with an encrypted root drive. For other types of VMs, see Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM or Manually Updating the CA Certificate on a Data Encrypted VM.

Procedure 

1. If you need a copy of the CA certificate that can verify the SSL certificate that KeyControl Vault is currently using: 

   1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
   2. In the top menu bar, click Cloud.

   3. Select Actions > Download CA Certificate.

      KeyControl Vault downloads a pem file to your browser's default download location. The filename starts with a datetime stamp followed by _cacert.pem. For example, 180412071755_cacert.pem.

   Note: If you are using an externally signed SSL certificate for KeyControl Vault, make sure that you use the CA certificate you download from KeyControl Vault on all registered VMs. Do not use the CA certificate that you received from the external certificate authority.

2. Download the Bootloader SSH key for the VM so that you can open an SSH session and copy the new certificate file to the Bootloader:

   1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
   2. Navigate to the Cloud > VMs tab and select the VM whose CA certificate you want to update.

   3. Select Actions > Download Bootloader SSH Key. KeyControl Vault downloads the SSH key to file called server-name.key in your browser's default download location. For example, if the server name is rhelsvr74, the SSH key file would be called rhelsvr74.key.

3. Open an ssh session and access the Entrust Debug Console on the root drive encrypted VM by entering the command ssh -i server-name.key root@vm_name, where server-name.key is the name of the SSH key file and vm_name is the IP address or hostname. For example:

   # ssh -i ~/Downloads/rhelsvr74.key root@192.168.140.133
   Warning: Permanently added '192.168.140.133' (RSA) to the list of known hosts.
   BusyBox v1.20.2 (Ubuntu 1:1.20.0-8.1ubuntu1) built-in shell (ash)
   Enter 'help' for a list of built-in commands.
   
   HyTrust Debug Console
   
   1. Show HT encryption log file
   2. Authenticate
   3. Show Network info
   4. Restart Network
   5. Advanced access
   6. logout
   
   Action:  

4. Select Advanced access. The Entrust DataControl Policy Agent displays a secure shell prompt (sh). For example:

   Action: 5
   sh-10.1# 

5. Open a second ssh session and copy the CA certificate file to the VM by entering the command scp -i server-name.key cacert.pem root@vm_name:cacert.pem, where server-name.key is the name of the SSH key file, cacert.pem is the fully qualified path to the pem file, and vm_name is the IP address or hostname. For example:

   $ scp -i ~/Downloads/rhelsvr74.key ~/Downloads/180412071755_cacert.pem root@192.168.140.133:180412071755_cacert.pem

6. Return to the Entrust Debug Console on the encrypted VM and update the certificate by entering the command hcl update_ca -f cacert.pem, where cacert.pem is the fully qualified path to the pem file. For example: 

   sh-10.1# hcl update_ca -f ./180412071755_cacert.pem
   
   Updating using cert file at: ./180412071755_cacert.pem
   Updated CA certificate
   

7. Enter the command hcl heartbeat to prompt the VM to contact KeyControl Vault. This updates the status information for the VM.

8. Enter the command hcl status to confirm that the last heartbeat between the VM and KeyControl Vault was successful. For example:

   sh-10.1# hcl heartbeat
   sh-10.1# hcl status
   
   Summary
   --------------------------------------------------------------------------------
   KeyControl: 10.238.65.65:443
   KeyControl list: 10.238.65.65:443 10.238.65.66:443
   KeyControl Mapping: kc41-nodes
   Status: Reauth needed (Virtual Machine not authenticated)
   Last heartbeat: Tue Oct 24 22:19:32 2017 (failed)
   AES_NI: enabled
   Certificate Expiration: Sep 11 22:16:13 2020 GMT

9. If the hcl status command says that the VM needs to be re-authenticated, enter the command hcl auth -a [-u user [-s password]], where:

   • -u is a KeyControl Vault user account name with Cloud Admin privileges.
   • -p is the password for the Cloud Admin account.

   If you do not provide a user name and password, you will be prompted for one. For example:

   sh-10.1# hcl auth -a
   Please provide the KeyControl login details
   username: secroot
   password: 
   Completing authentication on KeyControl node
   
   Authentication complete, machine ready to use

10. Enter the command hcl heartbeat to prompt the VM to contact KeyControl Vault. This updates the status information for the VM.
11. If the heartbeat is successful, enter the command exit to leave the secure shell and select logout from the Entrust Debug Console main menu. The VM should automatically continue booting from the encrypted root drive.